Skip to main content

M&S: UK firms must disclose cyberattacks

simran July 9, 2025
M&S: UK firms must disclose cyberattacks

British Businesses Should Report Cyberattacks to Authorities, Says Marks & Spencer Chairman

British businesses should be legally required to report material cyberattacks to the authorities, according to the chairman of retailer Marks & Spencer, Archie Norman. He made this statement while giving evidence to lawmakers on parliament’s Business and Trade Committee regarding the April cyberattack that forced M&S to suspend online shopping for nearly seven weeks.

Norman claimed that two recent major attacks on large UK firms had gone unreported, and the group had learned that "quite a large number" of serious cyberattacks never get reported to the National Cyber Security Centre (NCSC). He believes there is "a big deficit" in knowledge in the cybersecurity space, and companies of a certain size should be required to report material attacks to the NCSC within a time limit.

Details of the M&S Cyberattack

Norman declined to say if M&S had paid any ransom but said that the subject was "fully shared" with the National Crime Agency and other authorities. He mentioned that "loosely aligned parties" worked together on the M&S cyberattack, which was believed to be carried out by a ransomware operation based in Asia, known as DragonForce. A hacking collective known as Scattered Spider has previously been blamed in the media for the attack.

Norman stated that M&S didn’t hear from the threat actor for about a week after it initially penetrated its systems on April 17 through a "social engineering" operation. In May, M&S said the attack would cost it about 300 million pounds ($409 million) in lost operating profit.

Importance of Cyberattack Insurance

Norman said M&S was fortunate in having doubled its cyberattack insurance cover last year, though its claim could take 18 months to process. M&S resumed taking online orders for clothing lines on June 10 after a 46-day suspension but is yet to restore click and collect services. Last week, M&S CEO Stuart Machin told investors that the group would be over the worst of the fallout from the attack by August.

Lessons Learned from the Crisis

Nick Folland, M&S’ General Counsel, told lawmakers that a major lesson from the crisis for businesses generally was to make sure they can operate with pen and paper. "That’s what you need to be able to do for a period of time whilst all of your systems are down," he said.

Article Details

  • Published On: Jul 9, 2025, at 09:23 AM IST

Stay Updated with the Latest Insights and Analysis

Join the community of 2M+ industry professionals by subscribing to our newsletter and get the latest insights and analysis in your inbox.

All about ETCISO industry right on your smartphone! Download our app to stay updated on the go.

Scan to download App


Source Link

Next Post

You May Also Like

Fortinet Partners Kerala Govt for Cybersecurity Skill Development
Fortinet Partners Kerala Govt for Cybersecurity Skill Development

Fortinet Partners Kerala Govt for Cybersecurity Skill Development

simransimranFebruary 10, 2025
Vance: Deregulating AI helps US workersNews

Vance: Deregulating AI helps US workers

March 19, 2025
Palmer Luckey, founder of Anduril Industries, during an interview on "The Circuit with Emily Chang" at Anduril's headquarters in Costa Mesa, California, US, on Thursday, Dec. 14, 2023. Anduril recently beat several legacy defense players in a contest for a major contract to develop an unmanned fighter jet for the US Air Force and is now valued at $8.5 billion. Photographer: Kyle Grillot/Bloomberg via Getty Images
Anduril to build UK weapons factoryNews

Anduril to build UK weapons factory

March 21, 2025

FUSION MAG