Marks & Spencer chairman Archie Norman has officially declined to disclose whether the retail giant paid a ransom following a major cyberattack earlier this year. During a hearing with U.K. lawmakers, Norman shielded details regarding the company’s engagement with the threat actors behind the breach.
The Stance on Ransom Negotiations
Addressing the panel, Norman stated, “We’ve said that we are not discussing any of the details of our interaction with the threat actor.” He further justified the silence by arguing that discussing ransom payments is not in the public interest, citing ongoing coordination with law enforcement agencies as the primary reason for the nondisclosure.
Norman categorically denied that any internal staff at Marks & Spencer engaged in direct communication with the hackers. He identified the group responsible for the ransomware attack as the cybercriminal syndicate known as DragonForce.
Scale of the Data Breach
The incident, which came to light in May, resulted in the theft of sensitive customer information. Compromised data includes:
- Full names and dates of birth
- Residential and email addresses
- Phone numbers and household details
- Detailed online purchase histories
Beyond the data theft, the attack caused significant operational paralysis. For several weeks, the retailer faced severe supply chain disruptions, resulting in empty shelves and a complete inability for customers to process online orders.
Ongoing Recovery Efforts
Despite the incident occurring months ago, the retail giant is still grappling with the aftermath. Norman confirmed to the parliamentary panel that recovery efforts remain active and are projected to continue through October or November. The company is currently focusing on long-term system restoration and mitigating the lasting impact of the security failure.