In April 2025, Marks & Spencer (M&S), one of the UK’s leading retailers, faced a sophisticated ransomware attack that disrupted its operations and compromised customer data. The attack, attributed to the DragonForce group, led to widespread operational disruptions and an estimated £300 million loss in sales. In response to this incident, M&S chairman Archie Norman has called for mandatory reporting of cyberattacks, aiming to enhance cybersecurity resilience and transparency within the UK retail sector.
The Attack and Its Aftermath
The cyberattack on M&S was executed through a sophisticated social engineering tactic, where attackers tricked a third party into resetting an M&S employee’s password, granting unauthorized access to the company’s systems. The hackers employed a double extortion tactic: stealing and encrypting data to pressure M&S. The stolen data, amounting to 150GB, included sensitive customer information such as names, birthdates, addresses, phone numbers, and order histories. Recovery efforts are ongoing, with full restoration expected by October or November 2025. While the stolen data has not yet been leaked, raising speculation about ransom payment or ongoing negotiations, M&S chairman Archie Norman emphasized the company would not disclose ransom details due to ongoing investigations. Norman also advocated for improved transparency in cyberattack reporting, noting that other significant breaches may have gone unreported in the UK retail sector.
Dont let data threats slow you downTrueNAS offers enterprise-level protection.
Advocacy for Mandatory Reporting
In the wake of the attack, Norman has been vocal about the need for mandatory reporting of cyber incidents. Speaking to a UK Parliament subcommittee, he revealed that M&S promptly informed the National Cyber Security Centre (NCSC), the FBI, and UK law enforcement about the breach. He emphasized the importance of mandatory cyber incident reporting, suggesting that large-scale attacks on British companies often go unreported. Norman’s call for mandatory reporting aims to enhance the central intelligence body in the area, ensuring that significant cyber incidents are documented and addressed promptly.
Industry Response and Debate
While Norman’s advocacy has garnered support, it has also sparked debate within the cybersecurity community. Critics, such as Dr. Ilia Kolochenko, CEO at ImmuniWeb, warn that mandatory reporting could increase bureaucracy, complicate ongoing investigations, and overwhelm authorities without improving security. The discussion highlights the broader debate on improving cyber resilience and regulatory frameworks amid rising cyber threats. The incident has reignited scrutiny over supply chain vulnerabilities, particularly where third-party software or IT service providers are involved. Legal attention now turns to breach notification duties, contractual recourse, and the effectiveness of cyber insurance coverage.
Broader Implications for the Retail Sector
The M&S cyberattack serves as a wake-up call for the retail industry, highlighting the need for robust cybersecurity measures and transparent reporting practices. The incident has reignited scrutiny over supply chain vulnerabilities, particularly where third-party software or IT service providers are involved. Legal attention now turns to breach notification duties, contractual recourse, and the effectiveness of cyber insurance coverage. The attack underscores the importance of proactive cybersecurity strategies and the need for a collaborative approach to address the evolving threat landscape.
References
- M&S chair calls for mandatory reporting of cyber attacks after “traumatic” ransomware incident – but will it do more harm than good? (itpro.com)
- UK police arrest four over cyberattacks on M&S, Co-op and Harrods (reuters.com)
- M&S turned to FBI for help after ‘traumatic’ cyber attack (ft.com)
- M&S thinks it might finally know what caused cyberattack – but still won’t say if it paid a ransom (techradar.com)
- The Cyberattack on Marks and Spencer: A Wake-Up Call for Businesses | Chetcuti Cauchi Advocates Malta Law Firm (ccmalta.com)
- AI Autopsy: Five Lessons From The M&S Ransomware Attack • Assured (assured.co.uk)
- M&S chairman calls for mandatory disclosure of material cyberattacks | Cybersecurity Dive (cybersecuritydive.com)
- Retail attacks put cyber security in the spotlight | ICAEW (icaew.com)
- M&S says customer data stolen in cyberattack, forces password resets (bleepingcomputer.com)
- M&S says it will respond to April cyberattack by accelerating digital transformation plans | CIO (cio.com)
- Marks & Spencer faces $402 million profit hit after cyberattack (bleepingcomputer.com)
- Cybersecurity Breach of Mark and Spencer Which Triggers Over £100 Million Insurance Claim (hoploninfosec.com)
- M&S boss tells MPs reporting attacks should be mandatory for all businesses – Identity Week (identityweek.net)
- UK companies should have to disclose major cyberattacks, M&S says – The Economic Times (economictimes.indiatimes.com)
- Marks & Spencer Breach: How A Ransomware Attack Crippled a UK Retail Giant | BlackFog (blackfog.com)
- Marks & Spencer and Co-op Ransomware Attack Costs Up to £440 Million – Report – Cyber Insurance News (cyberinsurancenews.org)
Archie Norman’s call for mandatory reporting highlights a crucial debate. Beyond transparency, how can mandatory reporting be structured to provide actionable intelligence without overwhelming authorities and potentially hindering ongoing investigations?