Marks & Spencer chairman Archie Norman has faced tough questions in Parliament after a cyberattack that paralysed the British retailer’s digital operations for months and is expected to cost the company £300 million in lost profits.
Appearing before the Business and Trade Committee on 8 July, Norman described the breach as “devastating” but refused to disclose whether M&S had ponied up a ransom to the attackers, citing public interest and ongoing law enforcement matters.
“We’ve said that we are not discussing any of the details of our interaction with the threat actor,” he said. “We don’t think it’s in the public interest to go into that subject, partly because it is a matter of law enforcement.”
Affecting the UK’s Economic Resilience
The hearing is part of a wider inquiry into the UK’s economic resilience in the face of growing cyber threats. The M&S incident, which began in April, forced the company to suspend online sales and disrupted in-store operations. Some services remain partially offline, with full restoration expected only in the coming weeks.
Norman confirmed the attackers were believed to be part of DragonForce, a ransomware operation thought to be based in Asia. “We believe in this case there was the instigator of the attack and then, believed to be DragonForce, who were a ransomware operation based, we believe, in Asia,” he said.
He added that nobody at M&S had direct contact with the group. “When this happens, you don’t know who the attacker is, and in fact, they never send you a letter signed Scattered Spider, that doesn’t happen,” referring to a hacking collective also linked by some reports to the attack.
More Evidence to Come
The Co-op Group, which also disclosed cyber-related disruption in the same timeframe, is expected to give evidence in the coming sessions, alongside cybersecurity and national security experts. Their input, according to committee chair Rt Hon Liam Byrne MP, is vital to understanding how the UK’s response to cybercrime stacks up, and where it is falling short.
“This was not just a costly disruption,” Byrne said. “It was a cyberattack that broke through the digital defences of two of Britain’s most cherished retail institutions (Marks and Spencer and the Co-op) in quick succession. That should ring alarm bells.”
He warned that such incidents are no longer outliers. “If attackers can reach these giants, they can reach anyone. The risk is no longer remote but pervasive and, some fear, uninsurable.”
Urging Lawmakers to Introduce Legal Obligations
Norman echoed that concern, urging lawmakers to introduce legal obligations for businesses to report significant cyberattacks. He said the lack of mandatory disclosure was allowing major incidents to slip under the radar.
“In fact, we have reason to believe there’ve been two major cyber attacks on large British companies in the last four months, which have gone unreported,” he said.
“I don’t think it would be regulatory overkill to say [that] if you have a material attack … for companies of a certain size, you are required within a time limit to report those to the NCSC.”
The National Cyber Security Centre, which plays a central role in responding to digital threats, currently offers voluntary guidance and coordination. But there is growing pressure to formalise reporting requirements to improve threat visibility and national preparedness.
Identifying Systemic Weaknesses
The Committee’s inquiry is aimed at identifying systemic weaknesses in both public and private sector responses to cybercrime. Over four panels, it will explore current threats, the adequacy of law enforcement resources, and the legislative changes needed to safeguard economic security.
Byrne said the stakes could not be higher.
“This session is part of our wider inquiry into a simple question: in these new times how do we safeguard the nation’s economic security, on which the security of the realm now depends?” he said.
“On Tuesday, we’ll continue our work searching for the truth about the new risks we must now face, and the defences now needed to keep the nation’s economy safer.”
The UK retail sector, already navigating inflation, supply chain instability, and shifts in consumer behaviour, now finds itself grappling with cybercrime as a direct threat to operational continuity and brand trust. With one of its most recognisable institutions now a cautionary tale, the inquiry may shape the next phase of cyber policy across the economy.
Weaponizing Psychological Pressure
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, says: “Norman’s observations about criminals using media like the BBC to communicate demands shows just how far attackers go to weaponize psychological pressure.”
This all plays into the social engineering playbook which is used not just to gain initial access into organisations, but to also put pressure on victims to pay, he adds.
“Organisations which fall victim to such attacks are in a tough spot, and revealing whether or not ransom has been paid publicly may not be useful, and could play to criminals’ advantage to increase their notoriety and leverage it to publicly shame the victims more.”
He says Norman’s statement is quite accurate when he said that “substantially the damage had been done” and reveals the harsh reality that recovery often requires complete rebuilds anyway.”
Balancing Transparency with Legal Considerations
“The Marks & Spencer chairman’s refusal to confirm whether a ransom was paid following the company’s cyberattack reflects the complex and sensitive nature of ransomware incidents,” adds Jamie Akhtar, CEO and Co-founder at CyberSmart.
“While some may interpret this silence as evasive, it highlights the difficult position organisations face when balancing transparency with operational and legal considerations. Confirming or denying payment can have far-reaching consequences, not only for a company’s public image but also for future targeting by threat actors.”
Akhtar says ransomware remains one of the most persistent threats in today’s digital landscape, and attackers are becoming increasingly sophisticated in their methods.
He says whether M&S coughed up or not, the incident highlights the need for robust defences, clear crisis management plans, and well-practised incident response protocols. “Silence in the aftermath of such attacks often points to ongoing investigations or negotiations, but it also leaves customers, stakeholders, and the wider cybersecurity community seeking clarity on the organisation’s posture and resilience.”
For businesses across the UK, this incident serves as yet another reminder that ransomware is a boardroom concern, Akhtar adds. “Executive leadership must be prepared to make swift, informed decisions under pressure, guided by ethical considerations, legal obligations, and long-term brand protection. Regardless of whether a ransom was paid, the most important lesson here is the value of proactive preparation: from regular backups and employee training to external security assessments and secure-by-design infrastructures.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.