The chair of Marks and Spencer (M&S) has called for companies to be forced to disclose cyber attacks, claiming that two large British companies were hacked without any public knowledge.
M&S was hit by a ransomware attack in April, causing ongoing outages and losing the retailer as much as £300 million in sales. The company expects to be back to full operations within a few weeks.
Speaking to a business subcommittee at the UK Parliament, M&S chair Archie Norman admitted the company was still in "rebuild mode" and said the attack was "traumatic".
"It's very rare to have a criminal actor from another - or in this country, we're never quite sure - seeking to stop customers shopping at M&S, essentially trying to destroy your business," Norman said, according to the BBC.
Moran added that cybersecurity teams responding to the incident faced incredibly challenging conditions, noting that they “had no sleep” or at a minimum three hours a night.
More details on the M&S hack emerge
Norman disputed reports that M&S mistakenly left a "back door" open for the hackers to access, saying the attack happened via social engineering.
"As far as I can tell, that's a euphemism for impersonation," Norman reportedly told MPs.
"And it was a sophisticated impersonation. They just didn't walk up and say 'will you change my password.' They appeared as somebody with their details. And part of the point of entry also involved a third-party."
Though he wouldn't speak about whether the company paid a ransom or not, Norman insisted it would have made little sense in this case.
"[Once] your systems are compromised and you're going to have to rebuild anyway, maybe they've got exfiltrated data that you don't want to publish," he said. "Maybe there's something there, but in our case, substantially the damage had been done."
He confirmed that the attack was likely the work of Scattered Spider using DragonForce's ransomware-as-a-service, though said there had been no direct contact between the hackers and the company.
"They never send you a letter, signed Scattered Spider," he said.
Fellow retailer Co-op was also hit by a similar ransomware incident, but the impact was limited in comparison. The retailer also confirmed it refused to pay a ransom in the wake of the attack.
While it was forced to manage some systems using paper and pen, Rob Elsey, chief digital information officer for Co-op told The Guardian the hack was spotted quickly because of a decision to invest in detection systems and a segregated system design that kept damage more limited.
Norman suggested that M&S suffered worse because of its legacy systems.
Mandatory reporting
Norman noted that M&S quickly reported the incident to the National Cyber Security Centre (NCSC) — including any details about any payments made to the hackers — and called for others to do the same.
He added that mandatory reporting was "a very interesting idea" because it was clear some incidents are never reported, according to The Guardian.
"We have reason to believe there have been two major cyber-attacks on large British companies in the last four months that have gone unreported," he reportedly said.
Norman added that M&S had also contacted the FBI, as well as the UK's National Crime Agency and the Metropolitan Police following the incident.
In the UK, breaches of personal data must be reported to the Information Commissioner's Office, but there are no further requirements for hacking attacks that merely cause disruption or leak only corporate data. M&S said in May that some customer data was accessed in the incident.
More harm than good?
Not everyone agrees with Norman's call for mandatory reporting. Dr. Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), said such a requirement could do more harm than good.
One challenge is properly defining what a "reportable attack" would include.
"For example, DDoS attacks may have a huge impact on business operations, but no confidential or regulated data is commonly stolen unless combined with other types of attacks," Kolochenko told ITPro.
"Moreover, DDoS attacks are complex and sometimes technically impossible to investigate. Thus, reporting them to authorities will bring from little to no value."
Beyond that, any reporting rule must include exemptions where alerting authorities would hinder an ongoing investigation, and bodies like the NCSC might need more funding to sort through the deluge of reports.
"Otherwise, we may simply hinder the work of governmental agencies, while failing to attain the underlying goal of the proposed legislation," he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Red Hat is giving developers free access to RHEL – here’s what you need to knowNews Red Hat Enterprise Linux for Business Developers aims to help development teams build, test, and deploy applications more efficiently – and at no extra cost.
-
Beelink SEi13 Pro reviewBeelink's latest mini PC pitches speakers, microphones, a DisplayPort video output, and fast RAM to separate it from the herd
-
Arrests made in hunt for hackers behind cyber attacks on M&S and Co-opNews The suspects remain in custody for questioning by officers from the NCA's National Cyber Crime Unit
-
Ransomware attacks carry huge financial impacts – but CISO worries still aren’t stopping firms from paying outNews Increased anxiety over ransomware links directly to its devastating impact on business processes and one’s bottom line
-
‘The worst thing an employee could do’: Workers are covering up cyber attacks for fear of reprisal – here’s why that’s a huge problemNews More than one-third of office workers say they wouldn’t tell their cybersecurity team if they thought they had been the victim of a cyber attack.
-
Developers face a torrent of malware threats as malicious open source packages surge 188%News Researchers have identified more than 16,000 malicious open source packages across popular ecosystems
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'News The Hunters International ransomware group is rebranding and switching tactics
-
Using WinRAR? Update now to avoid falling victim to this file path flawNews WinRAR users have been urged to update after a patch was issued for a serious vulnerability.
-
A major ransomware hosting provider just got hit US with sanctionsNews Aeza Group's services were being used for ransomware, infostealers, and disinformation
-
Hackers are using PDFs to impersonate big brands like Microsoft and PayPal in a new threat campaignNews Hackers are increasingly using PDF attachments to impersonate major brands in phishing campaigns, according to new research from Cisco Talos.
