M&S Calls for Legal Requirement for UK Firms to Report Major Cyberattacks
Marks & Spencer (M&S) Chairman Archie Norman has urged the UK government to introduce mandatory cyberattack reporting laws, revealing that numerous serious breaches across the country go unreported. Speaking before the Business and Trade Committee on Tuesday, Norman disclosed that M&S’s recent cyberattack exposed broader systemic weaknesses in how UK companies handle and report cybersecurity threats.
M&S: Cyberattacks Going Unreported to Authorities
During the hearing, Norman stated that after experiencing a crippling ransomware attack in April 2025, M&S discovered that “a quite large number” of serious cyberattacks on other UK firms had not been reported to the National Cyber Security Centre (NCSC). “We believe there was the instigator of the attack and then, believed to be DragonForce, who were a ransomware operation based, we believe, in Asia,” Norman explained.
The hacking collective Scattered Spider, previously linked to the DragonForce ransomware group, is suspected to have orchestrated the attack. However, as Norman emphasized, “You don’t know who the attacker is. They never send a letter signed ‘Scattered Spider.’”
M&S Cyberattack: Timeline and Business Impact
- Attack Date: April 17, 2025
- Attack Method: Social engineering
- Systems Impacted: Online ordering, click-and-collect services
- Duration of Online Outage: 46 days
- Resumed Online Orders: June 10
- Click & Collect Status: Still unavailable
- Estimated Financial Loss: £300 million (~$409 million) in lost operating profit
- Cyber Insurance: M&S has doubled its coverage but expects an 18-month claims process
Lessons in Cyber Resilience: “Be Ready to Work With Pen and Paper”
M&S General Counsel Nick Folland also testified, stressing that companies must be prepared to revert to manual operations during a cyber crisis. “That’s what you need to be able to do for some time whilst all of your systems are down,” Folland said.
This statement echoes broader concerns about the preparedness of UK businesses to maintain operations under digital lockdown scenarios caused by ransomware attacks.
A Call for Cybersecurity Regulation Reform in the UK
Norman argued that making it a legal requirement for businesses to report material cyber incidents would allow the government and NCSC to better track threats and prepare coordinated responses. Currently, UK firms are not obligated to publicly disclose all cyberattacks unless data protection rules are violated under the UK GDPR. This regulatory gap leaves critical infrastructure and consumer-facing industries vulnerable.
M&S Recovery Timeline
M&S CEO Stuart Machin recently told investors that the company expects to be past the worst of the attack’s fallout by August 2025, as it continues to restore full online services and recover from the financial hit.
Conclusion
The M&S cyberattack has become a wake-up call for UK businesses and lawmakers. With losses mounting and cyber threats escalating, the push for mandatory cyber incident disclosure laws could reshape the country’s corporate cybersecurity landscape. M&S’s experience underscores the need for preparedness, transparency, and stronger regulatory oversight.
