The chair of Marks and Spencer (M&S) has called for companies to be forced to disclose cyber attacks, claiming that two large British companies were hacked without any public knowledge.
M&S was hit by a ransomware attack in April, causing ongoing outages and losing the retailer as much as £300 million in sales. The company expects to be back to full operations within a few weeks.
Speaking to a business subcommittee at the UK Parliament, M&S chair Archie Norman admitted the company was still in “rebuild mode” and said the attack was “traumatic”.
“It’s very rare to have a criminal actor from another – or in this country, we’re never quite sure – seeking to stop customers shopping at M&S, essentially trying to destroy your business,” Norman said, according to the BBC.
Moran added that cybersecurity teams responding to the incident faced incredibly challenging conditions, noting that they “had no sleep” or at a minimum three hours a night.
More details on the M&S hack emerge
Norman disputed reports that M&S mistakenly left a “back door” open for the hackers to access, saying the attack happened via social engineering.
“As far as I can tell, that’s a euphemism for impersonation,” Norman reportedly told MPs.
“And it was a sophisticated impersonation. They just didn’t walk up and say ‘will you change my password.’ They appeared as somebody with their details. And part of the point of entry also involved a third-party.”
Though he wouldn’t speak about whether the company paid a ransom or not, Norman insisted it would have made little sense in this case.
“[Once] your systems are compromised and you’re going to have to rebuild anyway, maybe they’ve got exfiltrated data that you don’t want to publish,” he said. “Maybe there’s something there, but in our case, substantially the damage had been done.”
He confirmed that the attack was likely the work of Scattered Spider using DragonForce’s ransomware-as-a-service, though said there had been no direct contact between the hackers and the company.
“They never send you a letter, signed Scattered Spider,” he said.
Fellow retailer Co-op was also hit by a similar ransomware incident, but the impact was limited in comparison. The retailer also confirmed it refused to pay a ransom in the wake of the attack.
While it was forced to manage some systems using paper and pen, Rob Elsey, chief digital information officer for Co-op told The Guardian the hack was spotted quickly because of a decision to invest in detection systems and a segregated system design that kept damage more limited.
Norman suggested that M&S suffered worse because of its legacy systems.
Mandatory reporting
Norman noted that M&S quickly reported the incident to the National Cyber Security Centre (NCSC) — including any details about any payments made to the hackers — and called for others to do the same.
He added that mandatory reporting was “a very interesting idea” because it was clear some incidents are never reported, according to The Guardian.
“We have reason to believe there have been two major cyber-attacks on large British companies in the last four months that have gone unreported,” he reportedly said.
Norman added that M&S had also contacted the FBI, as well as the UK’s National Crime Agency and the Metropolitan Police following the incident.
In the UK, breaches of personal data must be reported to the Information Commissioner’s Office, but there are no further requirements for hacking attacks that merely cause disruption or leak only corporate data. M&S said in May that some customer data was accessed in the incident.
More harm than good?
Not everyone agrees with Norman’s call for mandatory reporting. Dr. Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), said such a requirement could do more harm than good.
One challenge is properly defining what a “reportable attack” would include.
“For example, DDoS attacks may have a huge impact on business operations, but no confidential or regulated data is commonly stolen unless combined with other types of attacks,” Kolochenko told ITPro.
“Moreover, DDoS attacks are complex and sometimes technically impossible to investigate. Thus, reporting them to authorities will bring from little to no value.”
Beyond that, any reporting rule must include exemptions where alerting authorities would hinder an ongoing investigation, and bodies like the NCSC might need more funding to sort through the deluge of reports.
“Otherwise, we may simply hinder the work of governmental agencies, while failing to attain the underlying goal of the proposed legislation,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
