Hackers tried to 'destroy' M&S, chair tells MPs

Marks & Spencer's chair has said it felt like the hackers behind April's cyber attack were "trying to destroy" the business.

The retailer halted online orders and customers were faced with empty shelves in shops following the attack, which M&S has said will continue to affect customers until the end of this month.

The department store's chair Archie Norman told MPs the company believed hacker group DragonForce was responsible, something the BBC confirmed last month.

He said the group's motives were "partly, undoubtedly, ransom or extortion" and an email seen by the BBC confirms DragonForce wanted payment.

"It's very rare to have a criminal actor from another - or in this country, we're never quite sure - seeking to stop customers shopping at M&S, essentially trying to destroy your business," Mr Norman said.

"It's like an out of body experience," he added.

M&S has repeatedly declined to comment on whether or not it paid a ransom, which would likely be in the millions, with Mr Norman telling MPs on the Business Select Committee that the firm would not "discuss the nature of the interaction with the threat actor".

The MPs also heard from retailer Co-op, which also suffered a cyber attack in April. Its general secretary Dominic Kendal-Ward said: "We did not pay a ransom. We did not contemplate or at any point discuss paying a ransom."

M&S's Mr Norman described the experience as "traumatic" and said "for a week probably, the cyber team had no sleep - three hours a night".

He added that though customers will see the business running as normal by the end of July "background systems - that hopefully customers don't see - we will still be working on October or November."

M&S has predicted the attack will hit this year's profits by around £300m, though Mr Norman said the firm hoped to recover some this cost from insurance payouts.

Asked about regulation, Mr Norman said he felt large companies should be required to report "material" cyber attacks.

"We have reason to believe that there have been two major cyber attacks on large British companies in the last four months that have gone unreported," he said, though he did not provide any evidence for this.

Mr Norman admitted that M&S had "legacy systems" because of the its age. "We probably wish we didn't," he added.

He said that with the benefit of hindsight the company would have brought forward its planned technology investment to strengthen its cyber-security systems.

"Would it have prevented the attack? Not necessarily, but that's not a reason for not doing it," he added.

However, Mr Norman hit back at the suggestion M&S's systems were vulnerable.

"Just to be clear, there have been media reports that M&S left the back door open... that's all Horlicks," he said adding that "the attacker only has to be lucky once".

"Ultimately, can the attacker get in? They probably can if they try hard enough."

Mr Norman revealed the attacker gained access to the system through "sophisticated impersonation".

He said the firm handled the attack a lot better than it would have done when he joined in 2017. Back then, he said the business was "broken" and struggling with debt.

"If this had happened then, I think we would have been kippered," he said.

Mr Norman said the firm had practice drills to prepare for a cyber attack but "nothing survives the first whiff of gunshot".

"The simulation... was nothing like what happened, the intensity of it," he said.