Marks & Spencer's chairman has revealed the "traumatic" cyber attack on the retailer was believed to be instigated by hacking group Scattered Spider and a ransomware operation, DragonForce, run by former computer gamers.
Appearing before MPs, Archie Norman refused to confirm if M&S paid a ransom following the hack.
The attack, which began in late April, left M&S unable to take online orders for over six weeks. M&S estimates the attack will cost around £300 million in lost profits, but expects to recover up to half through cost management, insurance, and other measures.
Mr Norman, speaking at a Business and Trade select committee, said it was “not an overstatement to describe it as traumatic”, adding: “We’re still in the rebuild mode and will be for some time to come.”
He said the ordeal was “like an out-of-body experience” and that he had not experienced "anything quite like this" before in his extensive time working in the corporate world.
"It's fair to say that everybody at M&S experienced it, like our ordinary shop colleagues working in ways they hadn't worked for 30 years, working extra hours just to try and keep the show on the road.
"For a week probably the cyber team had no sleep, or three hours a night.”
Talking about the nature of the attack, he told MPs that the hackers “never send you a letter signed Scattered Spider, that doesn’t happen”.
“The attacker is working through intermediaries too, so we believe in this case there was the instigator of the attack, and then – believed to be DragonForce – who are a ransomware operation based, we believe, in Asia.
“So you’ve got loosely aligned parties working together.
“We took an early decision that nobody at M&S would deal with the threat actor directly – we felt the right thing was to leave this to the professionals who have experience in the matter.”
“It is believed that this group were former computer gamers who graduated into cyber – that may not be true, I’m relying entirely on hearsay,” Mr Norman said.
The chairman said the so-called “threat actors” also chose to communicate with the media, and were in contact with the BBC following the hack.
Mr Norman stressed that he would not talk about the nature of the discussions that had taken place with the hackers.
However, when asked whether businesses have to pay the ransomware demand following an attack, he said: “No I don’t think you do. That’s a business decision… the question businesses have to ask is when they look at the demand, what are they getting from it?
“Because once your systems are compromised and you’re going to have to rebuild it anyway, maybe they’ve exfiltrated data that you don’t want to publish, maybe there’s something there.
“But in our case, substantially the damage had been done.”
Iranian hackers threaten to release treasure trove of White House emails
M&S issues online shopping update following ‘damaging’ cyber attack
Final phase of ‘Not for EU’ food labelling comes into force
Bayeux Tapestry to be loaned to England for first time
King and Queen roll out red carpet for the Macrons during French state visit
Post Office bosses ‘maintained fiction’ Horizon was accurate, inquiry concludes
