M&S thinks it might finally know what caused cyberattack - but still won't say if it paid a ransom

News
By published

M&S attributes attack to DragonForce

M&S store
(Image credit: M&S)
  • M&S chairman Archie Norman attributes recent ransomware attack to DragonForce
  • Law enforcement is still involved, and we don't know any ransom details
  • Norman is calling for greater transparency and cyberattack reporting

M&S is still refusing to confirm whether it paid a ransom following a recent major cyberattack, but at least we have an indication of its cause.

It's believed the attack was carried out by DragonForce, a ransomware operation believed to be based in Asia or Russia – a separate group from hacktivists at the similarly-named DragonForce Malaysia.

M&S chairman Archie Norman explained disclosing details of any ransom would not be in the public interest, given that law enforcement agencies are still involved with the case.

M&S shares more information on attack

"We’ve said that we are not discussing any of the details of our interaction with the threat actor," Norman, speaking at a UK Parliament heading on cyberattacks in the retail sector, stressed.

We now know the initial breach occurred via social engineering, with the attacker impersonating an M&S worker and tricking a third party into resetting an employee's password.

The Financial Times revealed just weeks after the cyberattack that Tata Consultancy Services, a third party that M&S uses to help manage help desk support could have been inadvertently tied up in the breach.

Attackers threatened to leak the acquired data, but they also encrypted it from M&S in what's known as a double extortion attack. In May, M&S confirmed that names, birth dates, addresses, phone numbers, household information and order histories were all included.

150GB of data was reportedly stolen before M&S shut down systems to prevent further spread, leading to delivery disruptions. Recovery efforts are still ongoing, with Norman expecting full recovery by October or November 2025.

DragonForce has not posted M&S data, possibly implying that a ransom could have been paid or that negotiations are ongoing.

Looking ahead, Norman is calling for more transparency around reporting cyberattacks: "We have reason to believe there've been two major cyberattacks on large British companies in the last four months which have gone unreported," he said.

Via Reuters

You might also like

Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.