Marks & Spencer's Chair Discloses Ransomware Incident, Remains Discreet Regarding Potential Ransom Payment
Marks & Spencer (M&S), the renowned British retailer, has confirmed a ransomware attack on its systems in April. According to M&S chairman, Archie Norman, the attack was ransomware-related, and reports suggest it was perpetrated by the ransomware operator DragonForce, working in cohesion with other "loosely aligned" actors, such as the cyber espionage group LokiBot.
The attack on M&S networks occurred through a "sophisticated" social engineering attack, involving a third party. As a result, approximately 50,000 employees, colleagues, contractors, and outsourced workers in India were affected. To prevent further lateral movement, large swathes of M&S systems had to be shut down, heavily affecting online shopping.
Reports suggest that Scattered Spider, a hacking collective, leveraged compromised credentials from Tata Consultancy Services (TCS), a major IT outsourcing firm, to infiltrate M&S. However, Archie Norman did not provide a clear answer regarding whether a ransom demand was paid to the attackers. M&S chose not to directly communicate with the attackers, instead relying on professional intermediaries to do so.
The Co-op, another British retailer, experienced an attack shortly after M&S. Despite having heavily segmented systems, the Co-op's attackers were able to access member information, limited to names, addresses, and dates of birth. The Co-op was not aware of the attack on M&S when attackers first accessed its systems, but subsequently shared information via the National Cyber Security Centre (NCSC).
Norman is aware of a large number of serious attacks that do not get reported in the UK. He supports mandatory reporting for "material" cybersecurity incidents. The retailer is still in the process of bringing these systems back up securely.
Archie Norman stated that making a ransom payment is considered a "business decision." The attack demands came through media channels, most commonly the BBC. Norman did not elaborate on whether a ransom was paid or not.
Despite the challenges, M&S remains committed to strengthening its cybersecurity measures to protect its customers and employees. The incident serves as a reminder for all businesses to prioritise cybersecurity and be vigilant against such threats.
