UK Cyber Defence Resources Inadequate Says Marks and Spencer Chairman Norman

The chairman of Marks and Spencer has delivered a stark warning about the United Kingdom’s capability to combat cyber threats, revealing the retailer sought assistance from the US Federal Bureau of Investigation following a devastating Easter weekend attack.

Archie Norman, addressing MPs at a Commons business and trade sub-committee, disclosed that four major British companies had fallen victim to unreported cyberattacks within the past year. His testimony highlighted significant gaps in the UK’s cyber defence infrastructure, particularly noting the National Crime Agency’s resource limitations.

The FTSE 100 retailer’s decision to engage the FBI, which Norman described as “more muscled up in the zone,” raises serious questions about domestic cyber security capabilities. The attack, attributed to a group known as Scattered Spider utilising the DragonForce platform, initially penetrated M&S systems through sophisticated impersonation of a third-party contractor on 17 April.

Norman declined to confirm whether a ransom was paid, maintaining discretion regarding interactions with the threat actors. The breach’s financial implications are substantial, with analysts projecting a £300 million impact on profits. Despite this setback, M&S maintains its strategic course, allocating approximately £650 million annually to capital investment, with £250 million dedicated to technology infrastructure.

The retail giant’s experience has prompted calls for mandatory reporting of cyber incidents to the National Cyber Security Centre. Norman’s testimony revealed the complex nature of modern cyber threats, with attackers potentially operating through loosely aligned international networks. The M&S chairman’s characterisation of DragonForce as Asian-based remains contested, with some researchers suggesting Russian connections.

The incident has sparked renewed debate about national cyber security investment, following a 2023 security committee report that highlighted critical gaps in the UK’s digital defence capabilities. The absence of substantial government funding increases since the report’s publication remains a pressing concern for industry leaders.