M&S says Dragon Force threat group behind April cyberattack

The retailer estimates that the attack will cost the company £300m in profits this year.

Marks and Spencer (M&S) told the UK government today (8 July) that ‘Dragon Force’ – a mostly Russian-speaking group – is believed to be behind the cyberattack that forced the retailer to suspend online shopping for nearly seven weeks.

Speaking to the UK parliament’s business and trade sub-committee on economic security, arms and export controls, the company chairperson Archie Norman described the attack as “traumatic” and said that the business was still in “rebuild mode”.

The company’s key online clothing distribution centre in Leicestershire is still offline, Norman added. M&S estimates that the attack will cost the company £300m in profits this year.

In April, M&S customers received a shock message from CEO Stuart Machin informing them that a cyber incident had taken place over recent days.

A few weeks later, the company said that personal data relating to customers was stolen during the attack, but that payment details and account passwords remained safe.

“We believe in this case there was the instigator of the attack and then, believed to be Dragon Force, who were a ransomware operation based we believe in Asia,” Norman elaborated at today’s inquiry.

He said that the company did not hear from the threat actor for around a week after it breached the retailer’s systems. However, the company informed authorities a day after learning of the attack, he added.

Norman declined to answer whether the company had paid a ransom to the attacker.

The company has shared details on its interaction with the threat actor to the UK National Crime Agency, and has enlisted the help of the US Federal Bureau of Investigation, he said.

“Once your systems are compromised and you’re going to have to rebuild anyway … in our case, substantially the damage had been done,” he said.

The M&S chairperson also said that reporting cyberattacks to the National Cyber Security Centre (NCSC) should be made mandatory.

“It is apparent to us quite a large number of serious cyberattacks never get reported,” he told the committee.

“We have reason to believe there have two major cyberattacks on large British companies in the last four months that have gone unreported.”

The UK government floated a proposal earlier this year to make reporting ransomware incidents mandatory. It also sought to ban public sector bodies from paying ransoms to cyberthreat actors.

While amendments to the UK GDPR, which recently came into effect, place a duty on all organisations to report certain personal data breaches to the UK Information Commissioner’s Office within 72 hours.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.