- M&S chairman Archie Norman attributes recent ransomware attack to DragonForce
- Law enforcement is still involved, and we don’t know any ransom details
- Norman is calling for greater transparency and cyberattack reporting
M&S is still refusing to confirm whether it paid a ransom following a recent major cyberattack, but at least we have an indication of its cause.
It’s believed the attack was carried out by DragonForce, a ransomware operation believed to be based in Asia or Russia – a separate group from hacktivists at the similarly-named DragonForce Malaysia.
M&S chairman Archie Norman explained disclosing details of any ransom would not be in the public interest, given that law enforcement agencies are still involved with the case.
M&S shares more information on attack
“We’ve said that we are not discussing any of the details of our interaction with the threat actor,” Norman, speaking at a UK Parliament heading on cyberattacks in the retail sector, stressed.
We now know the initial breach occurred via social engineering, with the attacker impersonating an M&S worker and tricking a third party into resetting an employee’s password.
The Financial Times revealed just weeks after the cyberattack that Tata Consultancy Services, a third party that M&S uses to help manage help desk support could have been inadvertently tied up in the breach.
Attackers threatened to leak the acquired data, but they also encrypted it from M&S in what’s known as a double extortion attack. In May, M&S confirmed that names, birth dates, addresses, phone numbers, household information and order histories were all included.
150GB of data was reportedly stolen before M&S shut down systems to prevent further spread, leading to delivery disruptions. Recovery efforts are still ongoing, with Norman expecting full recovery by October or November 2025.
DragonForce has not posted M&S data, possibly implying that a ransom could have been paid or that negotiations are ongoing.
Looking ahead, Norman is calling for more transparency around reporting cyberattacks: “We have reason to believe there’ve been two major cyberattacks on large British companies in the last four months which have gone unreported,” he said.
Via Reuters
You might also like
Services Marketplace – Listings, Bookings & Reviews