Latest news with #NickFolland
Time of India
09-07-2025
- Business
- Time of India
UK companies should have to disclose major cyberattacks, M&S says
HighlightsArchie Norman, chairman of Marks & Spencer, stated that British businesses should be legally required to report material cyberattacks to the National Cyber Security Centre, citing that several serious attacks remain unreported. The recent cyberattack on Marks & Spencer, which forced the retailer to suspend online shopping for nearly seven weeks, is estimated to have cost the company about 300 million pounds in lost operating profit. Marks & Spencer's General Counsel, Nick Folland, emphasized the importance for businesses to have contingency plans that allow them to operate with pen and paper during system outages due to cyberattacks. British businesses should be legally required to report material cyberattacks to the authorities, the chairman of retailer Marks & Spencer said on Tuesday, claiming two recent major attacks on large UK firms had gone unreported. Giving evidence to lawmakers on parliament's Business and Trade Committee on the April cyberattack which forced M&S to suspend online shopping for nearly seven weeks, Archie Norman said the group had learnt that "quite a large number" of serious cyberattacks never get reported to the National Cyber Security Centre (NCSC). "In fact we have reason to believe there've been two major cyberattacks on large British companies in the last four months which have gone unreported," he said. Norman said that meant there was "a big deficit" in knowledge in the cybersecurity space. "So I don't think it would be regulatory overkill to say if you have a material attack ... for companies of a certain size you are required within a time limit to report those to the NCSC." Norman declined to say if M&S had paid any ransom but said that subject was "fully shared" with the National Crime Agency and other authorities. He said "loosely aligned parties" worked together on the M&S cyberattack. "We believe in this case there was the instigator of the attack and then, believed to be DragonForce, who were a ransomware operation based, we believe, in Asia." A hacking collective known as Scattered Spider that deploys ransomware from DragonForce has previously been blamed in the media for the attack. "When this happens you don't know who the attacker is, and in fact they never send you a letter signed Scattered Spider, that doesn't happen," said Norman. He said M&S didn't hear from the threat actor for about a week after it initially penetrated its systems on April 17 through a "social engineering" operation. In May, M&S said the attack would cost it about 300 million pounds ($409 million) in lost operating profit. Norman said M&S was fortunate in having doubled its cyberattack insurance cover last year, though its claim could take 18 months to process. M&S resumed taking online orders for clothing lines on June 10 after a 46-day suspension but is yet to restore click and collect services. Last week, M&S CEO Stuart Machin told investors the group would be over the worst of the fallout from the attack by August. Nick Folland, M&S' General Counsel, told the lawmakers a major lesson from the crisis for businesses generally was to make sure they can operate with pen and paper. "That's what you need to be able to do for a period of time whilst all of your systems are down," he said.
Sky News
08-07-2025
- Business
- Sky News
Cyber attack on M&S involved 'sophisticated impersonation', chairman says
The chairman of Marks & Spencer has told MPs the company is "still in the rebuild mode" following a cyber attack which led to empty shelves and limited online operations for months. Speaking publicly for the first time since the attack, Archie Norman declined to answer whether the business had paid a ransom. "It's a business decision, it's a principal decision," he told members of the Business and Trade Committee. "The question you have to ask is - and I think all businesses should ask - is, when they look at the demand, what are they getting for it? "Because once your systems are compromised and you're going to have to rebuild anyway, maybe they've got exfiltrated data that you don't want to publish. Maybe there's something there, but in our case, substantially the damage had been done." What happened? The initial entry into M&S's systems took place on 17 April through "sophisticated impersonation" that involved a third party, Mr Norman said. It was two days later before the company became aware of the attack, and approximately a week after the intrusion before the retailer heard directly from the attacker. "Anybody who's suffered an event like ours, it would be foolish to say there's not a thousand things you'd like to have done differently," he added. In a warning to other businesses, M&S's general counsel and company secretary Nick Folland said firms should be prepared to operate without IT systems. "One of the things that we would say to others is make sure you can run your business on pen and paper," he said. Please refresh the page for the fullest version.
