M&S chief refuses to say if retailer paid a ransom to hackers who ‘tried to destroy’ it in cyber attack
Marks & Spencer chairman Archie Norman declined to answer if the retailer paid a ransom over the ‘traumatic’ attack, which left it unable to take online orders for six weeks.
Listen to this article
M&S has estimated the attack would cost it around £300 million in lost profits - but expects to recover as much as half of the impact through cost management, insurance and other reactions.
The hack wiped more than £1.3bn off the high street firm's market value in the days immediately following the attack.
The cyber attack was believed to be instigated by hacking group Scattered Spider and a ransomware operation run by former computer gamers named DragonForce, its chairman said.
As part of the attack, the hackers boasted that they installed ransomware across the M&S IT system and stole the private data of millions of customers.
Archie Norman, who was quizzed by MPs, refused to say whether or not the retailer paid the group's ransom money following the hack.
The high street chain was left unable to take any online orders for more than six weeks when its systems were targeted by hackers at the end of April.
Read more: Southport murders ‘one of the worst crimes in UK history,’ says chairman as inquiry opens
Mr Norman, speaking at a Business and Trade select committee, said it was "not an overstatement to describe it as traumatic", adding: "We're still in the rebuild mode and will be for some time to come."
Talking about the nature of the attack, he told MPs that the hackers "never send you a letter signed Scattered Spider, that doesn't happen".
"The attacker is working through intermediaries too, so we believe in this case there was the instigator of the attack, and then - believed to be DragonForce - who are a ransomware operation based, we believe, in Asia.
"So you've got loosely aligned parties working together.
"We took an early decision that nobody at M&S would deal with the threat actor directly - we felt the right thing was to leave this to the professionals who have experience in the matter."
"It is believed that this group were former computer gamers who graduated into cyber - that may not be true, I'm relying entirely on hearsay," Mr Norman said.
The chairman said the so-called "threat actors" also chose to communicate with the media, and were in contact with the BBC following the hack.
Mr Norman stressed that he would not talk about the nature of the discussions that had taken place with the hackers.
However, when asked whether businesses have to pay the ransomware demand following an attack, he said: "No I don't think you do. That's a business decision... the question businesses have to ask is when they look at the demand, what are they getting from it?
"Because once your systems are compromised and you're going to have to rebuild it anyway, maybe they've exfiltrated data that you don't want to publish, maybe there's something there.
"But in our case, substantially the damage had been done."