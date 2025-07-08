Your support helps us to tell the story Read more Support Now From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging. At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story. The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it. Your support makes all the difference. Read more

Marks & Spencer's chairman has revealed the "traumatic" cyber attack on the retailer was believed to be instigated by hacking group Scattered Spider and a ransomware operation, DragonForce, run by former computer gamers.

Appearing before MPs, Archie Norman refused to confirm if M&S paid a ransom following the hack.

The attack, which began in late April, left M&S unable to take online orders for over six weeks. M&S estimates the attack will cost around £300 million in lost profits, but expects to recover up to half through cost management, insurance, and other measures.

Mr Norman, speaking at a Business and Trade select committee, said it was “not an overstatement to describe it as traumatic”, adding: “We’re still in the rebuild mode and will be for some time to come.”

He said the ordeal was “like an out-of-body experience” and that he had not experienced "anything quite like this" before in his extensive time working in the corporate world.

"It's fair to say that everybody at M&S experienced it, like our ordinary shop colleagues working in ways they hadn't worked for 30 years, working extra hours just to try and keep the show on the road.

"For a week probably the cyber team had no sleep, or three hours a night.”

Talking about the nature of the attack, he told MPs that the hackers “never send you a letter signed Scattered Spider, that doesn’t happen”.

“The attacker is working through intermediaries too, so we believe in this case there was the instigator of the attack, and then – believed to be DragonForce – who are a ransomware operation based, we believe, in Asia.

“So you’ve got loosely aligned parties working together.

“We took an early decision that nobody at M&S would deal with the threat actor directly – we felt the right thing was to leave this to the professionals who have experience in the matter.”

“It is believed that this group were former computer gamers who graduated into cyber – that may not be true, I’m relying entirely on hearsay,” Mr Norman said.

The chairman said the so-called “threat actors” also chose to communicate with the media, and were in contact with the BBC following the hack.

Mr Norman stressed that he would not talk about the nature of the discussions that had taken place with the hackers.

However, when asked whether businesses have to pay the ransomware demand following an attack, he said: “No I don’t think you do. That’s a business decision… the question businesses have to ask is when they look at the demand, what are they getting from it?

“Because once your systems are compromised and you’re going to have to rebuild it anyway, maybe they’ve exfiltrated data that you don’t want to publish, maybe there’s something there.

“But in our case, substantially the damage had been done.”