M&S Chairman: cyber attack attempt to destroy retail giant

Marks & Spencer Chairman Archie Norman today told UK Members of Parliament today (July 8th, 2025) that the cyber attack in April was an attempt to “destroy” the retail giant.

Speaking before the Business Select Committee, Norman indicated that the hacker group, believed to be DragonForce, sought to halt customer shopping at M&S, driven by motives that were “partly, undoubtedly, ransom or extortion.”

The attack, which began with a “sophisticated impersonation” through a third party on April 17th, led to the suspension of online orders and resulted in empty shelves in stores. M&S became aware of the intrusion two days later, on Easter Saturday, and heard directly from the attackers approximately a week after the initial breach.

Norman described the experience as “traumatic,” noting that the cyber team had minimal sleep for a week. The company notified British authorities and the FBI, the latter being “more muscled up in this zone” and “very supportive.”

M&S anticipates the cyber attack will impact this year’s profits by around £300 million, though the company expects to recover a “substantial” portion of this through insurance claims, a process estimated to take about 18 months. Norman revealed that M&S “curiously doubled our insurance cover last year.”

Addressing concerns about M&S’s systems, Norman acknowledged the presence of “legacy systems” due to the company’s age, stating they “probably wish we didn’t” have them. He admitted that with hindsight, M&S would have accelerated planned technology investments to bolster cybersecurity.

However, he strongly refuted media reports suggesting M&S’s systems were easily breached, emphasizing that “the attacker only has to be lucky once” and that “ultimately, can the attacker get in? They probably can if they try hard enough.”

Norman highlighted the company’s improved resilience compared to 2017, when he joined, stating: “If this had happened then, I think we would have been kippered.” Despite conducting practice drills, the intensity of the actual attack far exceeded simulations.

M&S has since trebled its cybersecurity team to 80 people and doubled its expenditure in this area. Norman also advised other businesses to be prepared to operate without IT systems, suggesting they “make sure you can run your business on pen and paper.” He declined to comment on whether a ransom was paid, citing it as a “business decision” and a matter for law enforcement.