M&S Chair Archie Norman has confirmed that the company believes the ransomware group DragonForce was responsible for its recent cyber attack. Addressing a parliamentary select committee on 8th July, Norman stated that “loosely aligned parties” collaborated in orchestrating the attack. He explained that while the instigator of the breach remains unclear, DragonForce—believed to be a ransomware operation based in Asia—is suspected of involvement.
Although media reports have previously named the hacking group Scattered Spider in connection with the incident, Norman clarified the uncertainty surrounding attribution in such cases. “When this happens you don’t know who the attacker is, and in fact they never send you a letter signed Scattered Spider—that doesn’t happen,” he said.
Norman also revealed that M&S received assistance from the U.S. Federal Bureau of Investigation (FBI) following the attack. The company had an exchange with the FBI, which Norman described as “very supportive” and “more muscled up in the zone,” providing critical guidance in the aftermath of the breach.
In addition to support from the FBI, M&S has been collaborating with the UK’s National Crime Agency and the National Cyber Security Centre (NCSC) in the wake of the recent cyber attack. The remarks came as M&S Chair Archie Norman gave evidence to a parliamentary select committee, following the incident which first came to light in April when shoppers across the UK were unable to make contactless payments over the Bank Holiday weekend.
M&S appeared before the committee alongside the Co-op, which also suffered a cyber attack in the same month. The session forms part of a broader inquiry into the impact of cyber attacks on UK businesses.
During his testimony, Norman called on the government to mandate the reporting of “major” cyber attacks, raising concerns about the current lack of transparency. “It is apparent to us that quite a large number of cyber attacks never get reported to the NCSC,” he said, adding that the company had reason to believe that two significant cyber incidents within the past four months had gone unreported. “We think that’s a big deficit in our knowledge as to what is happening,” he warned.
