Newsletter
Subscribe
Subscribe

Hackers could have destroyed Marks & Spencer, admits boss

Marks & Spencer M&S
/ 9th July 2025 /
Subeditor

Marks & Spencer could have been destroyed in a "traumatic" hack by cyber criminals, according to its chairman.

Archie Norman told British MPs it was ‘fortunate’ that the attack over Easter occurred while the business was on the up.

When he joined as chairman in September 2017, the business was "fairly broken" and its systems "were in a pretty decrepit state", he told the business and trade select committee yesterday.

"So I have to say, if this had happened then, I think we would have been kippered," he said.

He went on: "It is very rare to have a criminal actor in another country or this country seeking to stop customers shopping at M&S, essentially trying to destroy your business for purposes that are not clear, but undoubtedly for ransom and extortion."

Business Bulletin

He refused to say whether M&S paid a ransom to hackers, who stole the data of millions of customers, including names and addresses.

M&S was forced to halt website orders on April 25 after falling victim to the hack – which has been linked to the notorious Scattered Spider and Dragon Force groups.

It hopes the business will be back to normal for customers by the end of this month. But disruption is set to go on behind the scenes for months and M&S could take a £300m hit to annual profits this year.

Norman described learning of the incident as an "out of body experience" and said it was "not an overstatement to describe the attack as traumatic".

It came just as M&S was enjoying the fruits of a protracted turnaround, which had seen it boost profits and shake off a reputation for ‘dowdy’ fashion.

The hackers – who Norman said were thought to be "former computer gamers" – boasted to media outlets about the attack to gain publicity.

The chairman said it was "an unusual experience to be brushing your teeth in the morning, when somebody comes on the BBC, with a communication from the people who are attacking our business".

The National Crime Agency is continuing to probe the hack. Norman said it would not be "regulatory overkill" for large companies to be obligated to report cyber attacks to the National Cyber Security Centre (NCSC).

He said: "It’s apparent to us that quite a large number of serious cyber attacks never get reported to the NCSC. In fact, we have reason to believe there have been two major cyber attacks on large British companies in the past four months, which have gone unreported."

Marks & Spencer
Archie Norman. (Pic: Adrian Brooks/Imagewise)

This results in a "big deficit" of knowledge that could help other companies better protect themselves, he added.

Harrods and the Co-op both reported cyber attacks within days of M&S being hacked this spring. Shares in Marks & Spencer fell one per cent, or 3.3 pence, to 335.9p on Tuesday.

(Pic: Jeremy Moeller/Getty Images)

Sign up to The Business Plus Panel to help shape the business decisions of tomorrow and win vouchers for your opinions! 
chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram