Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The chairman of UK retailer Marks & Spencer (M&S) has refused to answer whether or not the company paid ransom after it was hit by a ransomware attack in April.
Speaking with a panel of lawmakers at the Business and Trade Committee, chairman Archie Norman declined to answer whether or not M&S paid a ransom to the hackers, saying it was not in the interest of the public.
“We’ve said that we are not discussing any of the details of our interaction with the threat actor,” he said.
“We don’t think it’s in the public interest to go into that subject, partly because it is a matter of law enforcement.”
Norman did say that “nobody” at M&S had directly interacted with the threat group, which he said was the DragonForce ransomware gang.
“We believe in this case there was the instigator of the attack and then, believed to be DragonForce, who were a ransomware operation based, we believe, in Asia.”
The media has previously accused DragonForce and/or hacking collective Scattered Spider for the incident.
“When this happens, you don’t know who the attacker is, and in fact, they never send you a letter signed Scattered Spider, that doesn’t happen,” Norman said.
At the same time, Norman said British businesses should be legally required to report cyber attacks, claiming that two major organisations had suffered cyber attacks of late without reporting them and that “quite a large number” never get reported.
“In fact, we have reason to believe there’ve been two major cyber attacks on large British companies in the last four months, which have gone unreported,” he said.
“I don’t think it would be regulatory overkill to say [that] if you have a material attack ... for companies of a certain size, you are required within a time limit to report those to the NCSC.”
Be the first to hear the latest developments in the cyber industry.
