Marks & Spencer chair says cyber attackers used impersonation to devastate systems in ‘traumatic’ assault

Marks & Spencer’s chairman has claimed cyber attackers tried to “destroy” the company in a calculated assault that left staff sleepless and shelves bare across the UK.

Archie Norman, speaking before Parliament’s Business Select Committee on Tuesday, revealed that the cyber onslaught in April — allegedly carried out by the hacking group DragonForce — felt like “a criminal actor was trying to assassinate our business.”

“It was like an out of body experience,” Norman told MPs. “It’s very rare to have someone, from abroad or here, actively trying to stop customers shopping at M&S.”

The brazen attack forced the retailer to halt online orders, while customers faced empty shelves in stores as internal systems collapsed. The company now estimates the fallout will cost up to £300 million in profits this year, although Norman said some of that may be recovered through insurance.

The chair declined to confirm whether M&S paid a ransom. The BBC previously reported that DragonForce demanded payment, with abusive messages sent directly to the firm’s chief executive. However, Norman insisted the company would not discuss its interaction with the threat actor.

Co-op’s general secretary, Dominic Kendal-Ward — whose business was also hit in April — confirmed to MPs they did not pay, nor even consider paying, a ransom.

While M&S expects customers will see normal service resume by the end of July, Norman warned that behind-the-scenes systems would remain compromised well into autumn.

“Background systems — that hopefully customers don’t see — we’ll still be working on in October or November,” he said, calling the entire experience “traumatic.”

“For a week probably, the cyber team had no sleep — three hours a night,” he added.

The method of attack? Sophisticated impersonation. According to Norman, the attackers didn’t exploit basic errors or software flaws. “There have been media reports that M&S left the back door open — that’s all Horlicks,” he said sharply.

“The attacker only has to be lucky once. Ultimately, can they get in? If they try hard enough, they probably can.”

Norman also defended the company’s ageing IT infrastructure — the so-called “legacy systems” — but admitted they wish they had modernised earlier. “Would it have prevented the attack? Not necessarily,” he said, “but that’s no excuse for not investing.”

The high-stakes assault has prompted Norman to call for tighter mandatory reporting rules. He claimed that two other major UK companies had recently suffered cyber attacks without informing the public — though he offered no evidence or names.

“We believe there have been two major cyber attacks on large British companies in the last four months that have gone unreported,” Norman said, warning that silence encourages further criminal activity.

At its height, the attack not only crippled M&S’s logistics, but also exposed how woefully underprepared companies might be, even with regular simulation drills.

“The simulation was nothing like what happened. The intensity — the unpredictability — nothing survives the first whiff of gunshot,” Norman admitted.

Reflecting on the company’s near-collapse, Norman compared the ordeal to earlier, darker days in the business.

“When I joined in 2017, this company was broken — it was laden with debt. If this had happened then, I think we would have been kippered.”