A recent comment by the chairman of M&S redshifted by the focus back on cyberattacks. Specifically in the online retail environment. This seems to be a juicy hunting ground for those in the know, mostly due to all the valuable customer data that is available. These can include a consumer’s credit card information, shopping patterns or even PII (Personally Identifiable Information). Information collected here can be utilized or sold at leisure.
A whole different way of seeing M&S
British businesses should be legally required to report material cyberattacks to the authorities, the chairman of retailer Marks & Spencerย MKS.L said on Tuesday, claiming two recent major attacks on large UK firms had gone unreported. M&S or Marks and Spencer is a leading British retailer. Founded in 1884, they are known for their exceptional offering of homeware, quality food as well as clothing. Their customer based is worldwide and they have a strong online presence.
Giving evidence to lawmakers on parliament’s Business and Trade Committee on the April cyberattack which forced M&S to suspend online shopping for nearly seven weeks, Archie Norman said the group had learnt that “quite a large number” of serious cyberattacks never get reported to the National Cyber Security Centre (NCSC). The NCSC can be described as the UK’s technical authority on cyber security. Since its formation in 2016, it serves as a bridge between the government and industries.
When the reality of hacks occur
“In fact, we have reason to believe there’ve been two major cyberattacks on large British companies in the last four months which have gone unreported,” he noted. Norman said that meant there was “a big deficit” in knowledge in the cybersecurity space. “So, I don’t think it would be regulatory overkill to say if you have a material attack … for companies of a certain size you are required within a time limit to report those to the NCSC.”
Norman declined to say if M&S had paid any ransom but said that subject was “fully shared” with the National Crime Agency and other authorities. He said “loosely aligned parties” worked together on the M&S cyberattack. “We believe in this case there was the instigator of the attack and then, believed to be DragonForce, who were a ransomware operation based,ย we believe, in Asia.” A hacking collective known as Scattered Spider that deploys ransomware from DragonForce has previously been blamed in the media for the attack.
Handling matters somewhere in the UK
“When this happens you don’t know who the attacker is, and in fact they never send you a letter signed Scattered Spider, that doesn’t happen,” said Norman. He said M&S didn’t hear from the threat actor for about a week after it initially penetrated its systems on April 17 through aย “social engineering” operation. In May, M&S said the attack would cost it about 300 million pounds ($409 million) in lost operating profit.
Norman said M&S was fortunate in having doubled its cyberattack insurance cover last year, though its claim could take 18 months to process. M&Sย resumed taking online orders for clothing lines on June 10 after a 46-day suspension but is yet to restore click and collect services. Last week, M&S CEO Stuart Machinย told investorsย the group would be over the worst of the fallout from the attack by August.
Ecommerce websites usually follow strict safety protocols to ensure relevant protection to those who make use of their services. Some of these measures can include limited user access to certain information, regulatory compliance, the use of secure ecommerce platforms, two-factor authentication, etc. Attacks are not always preventable, but a good plan and relevant preparedness will also help to handle such a situation if it arises.ย