M&S Warns Two Major UK Firms Hide Cyberattacks

Marks & Spencer (M&S) has called for UK companies to be legally required to report major cyberattacks to national authorities, citing concerns that serious incidents often go unreported, creating a significant knowledge gap in cybersecurity. M&S chairman Archie Norman revealed that the retailer suffered a major ransomware attack in April, linked to the DragonForce group, which forced a seven-week suspension of online orders and resulted in an estimated £300 million loss in operating profit. Norman described the attack as traumatic and stressed the challenges of defending a large business with 50,000 system users and complex third-party involvements, highlighting social engineering as the initial entry method. He confirmed that M&S promptly reported the breach to the National Cyber Security Centre and cooperated with law enforcement but declined to disclose ransom payment details. Norman also noted that at least two other major UK companies had experienced significant cyberattacks recently without reporting them, underscoring the need for mandatory disclosure to improve collective defense. Despite the attack's impact, M&S plans to continue its strategic path and aims to be fully operational by August, having increased cybersecurity measures and staff prior to the breach.