M&S chair calls for mandatory reporting of cyber attacks after "traumatic" ransomware incident – but will it do more harm than good?
The call comes after the retailer struggled to recover from a massive ransomware incident
The chair of Marks and Spencer (M&S) has called for companies to be forced to disclose cyber attacks, claiming that two large British companies were hacked without any public knowledge.
M&S was hit by a ransomware attack in April, causing ongoing outages and losing the retailer as much as £300 million in sales. The company expects to be back to full operations within a few weeks.
Speaking to a business subcommittee at the UK Parliament, M&S chair Archie Norman admitted the company was still in "rebuild mode" and said the attack was "traumatic".
"It's very rare to have a criminal actor from another - or in this country, we're never quite sure - seeking to stop customers shopping at M&S, essentially trying to destroy your business," Norman said, according to the BBC.
Moran added that cybersecurity teams responding to the incident faced incredibly challenging conditions, noting that they “had no sleep” or at a minimum three hours a night.
More details on the M&S hack emerge
Norman disputed reports that M&S mistakenly left a "back door" open for the hackers to access, saying the attack happened via social engineering.
"As far as I can tell, that's a euphemism for impersonation," Norman reportedly told MPs.
"And it was a sophisticated impersonation. They just didn't walk up and say 'will you change my password.' They appeared as somebody with their details. And part of the point of entry also involved a third-party."
Though he wouldn't speak about whether the company paid a ransom or not, Norman insisted it would have made little sense in this case.
"[Once] your systems are compromised and you're going to have to rebuild anyway, maybe they've got exfiltrated data that you don't want to publish," he said. "Maybe there's something there, but in our case, substantially the damage had been done."
He confirmed that the attack was likely the work of Scattered Spider using DragonForce's ransomware-as-a-service, though said there had been no direct contact between the hackers and the company.
"They never send you a letter, signed Scattered Spider," he said.
Fellow retailer Co-op was also hit by a similar ransomware incident, but the impact was limited in comparison. The retailer also confirmed it refused to pay a ransom in the wake of the attack.
While it was forced to manage some systems using paper and pen, Rob Elsey, chief digital information officer for Co-op told The Guardian the hack was spotted quickly because of a decision to invest in detection systems and a segregated system design that kept damage more limited.
Norman suggested that M&S suffered worse because of its legacy systems.
Mandatory reporting
Norman noted that M&S quickly reported the incident to the National Cyber Security Centre (NCSC) — including any details about any payments made to the hackers — and called for others to do the same.
He added that mandatory reporting was "a very interesting idea" because it was clear some incidents are never reported, according to The Guardian.
"We have reason to believe there have been two major cyber-attacks on large British companies in the last four months that have gone unreported," he reportedly said.
Norman added that M&S had also contacted the FBI, as well as the UK's National Crime Agency and the Metropolitan Police following the incident.
In the UK, breaches of personal data must be reported to the Information Commissioner's Office, but there are no further requirements for hacking attacks that merely cause disruption or leak only corporate data. M&S said in May that some customer data was accessed in the incident.
More harm than good?
Not everyone agrees with Norman's call for mandatory reporting. Dr. Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), said such a requirement could do more harm than good.
One challenge is properly defining what a "reportable attack" would include.
"For example, DDoS attacks may have a huge impact on business operations, but no confidential or regulated data is commonly stolen unless combined with other types of attacks," Kolochenko told ITPro.
"Moreover, DDoS attacks are complex and sometimes technically impossible to investigate. Thus, reporting them to authorities will bring from little to no value."
Beyond that, any reporting rule must include exemptions where alerting authorities would hinder an ongoing investigation, and bodies like the NCSC might need more funding to sort through the deluge of reports.
"Otherwise, we may simply hinder the work of governmental agencies, while failing to attain the underlying goal of the proposed legislation," he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Nearly half of software developers don’t check AI-generated codeNews A concerning number of developers are failing to check AI-generated code, exposing enterprises to huge security threats
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Veeam patches Backup & Replication vulnerabilities, urges users to update
News The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
