The chairman of U.K. retail giant Marks & Spencer, Archie Norman, refused to tell a panel of lawmakers whether the company paid a hacking group following a ransomware attack earlier this year.
“We’ve said that we are not discussing any of the details of our interaction with the threat actor,” Norman said, referring to the ransom payment. “We don’t think it’s in the public interest to go into that subject partly because it is a matter of law enforcement.”
Norman stated that “nobody” at Marks & Spencer directly interacted with the cybercriminals, which authorities have attributed to the ransomware gang DragonForce.
Scope and Impact of the Data Breach
In May, Marks & Spencer revealed that hackers had stolen an unspecified amount of customer data, including names, dates of birth, home and email addresses, phone numbers, household information, and online order histories. The breach caused operational disruptions lasting several weeks, resulting in empty shelves and customers being unable to order online.
Norman informed lawmakers that the company is still in the process of recovery and expects these efforts to continue until October or November.
Author’s Opinion
While it’s understandable that sensitive details about ransomware payments may be legally protected, greater transparency from companies like Marks & Spencer is vital to rebuild customer trust and push for stronger cybersecurity standards across industries.
Featured image credit: Chris via Flickr
For more stories like it, click the +Follow button at the top of this page to follow us.