Directors of the Co-op and Marks & Spencer were asked today whether or not they had paid any ransom after each was hit by cyber-criminals.

The retailers were appearing before a sub-committee of the Business and Trade Select Committee, concerned with cyber security in the wake of high-profile attacks on them and other retailers including Harrods, which led to business disruption.

Co-op representatives said they had not paid any ransom, while Marks & Spencer chair Archie Norman was more circumspect in his reponse.

Co-operative Group secretary and general counsel Dominic Kendal-Ward told the committee: “We did not pay a ransom. We did not contemplate or at any point discuss paying a ransom and in fact we didn’t engage at any point with the criminal attackers through the process.”

M&S’ Norman said that it too decided not to interact directly with the hackers, but he did not give such a definitive answer, partly because it would not help the police hunt for the criminals.

Norman said: “I think that’s a business decision and it’s a principle decision. The question you have to ask – I think all businesses should ask – is, when they look at the demand, what are they getting for it? Because once your systems are compromised you’re going to have to rebuild anyway… In our case, substantially the damage had been done.”

Asked about a ransom again he replied: “We’ve said that we are not discussing any of the details of our interaction with the threat actor, but that subject is fully shared with the NCA [National Crime Agency] and the relevant authorities. We don’t think it’s in the public interest to go into that subject, partly because it is a matter of law enforcement. We want to give people the best possible chance of pursuing that action. Secondly, part of what the threat actor is looking for is publicity. We want to make sure we limit the amount of oxygen they have.”

Topics