M&S CEO received ransom email and abuse from hacker group

Hackers who targeted Marks & Spencer sent an abusive email directly to the retailer’s chief executive officer Stuart Machin, gloating about their attack and demanding payment, the BBC has revealed.

The message was sent on 23 April from hacker group DragonForce using the email account of an M&S employee. The email confirms for the first time that M&S has been hacked by the ransomware group – something the company has refused to acknowledge.

“We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers,” the hackers wrote in broken English. “The dragon wants to speak to you so please head over to [our darknet website].”

The extortion email, which included racist language, was sent to Machin and seven other executives. The hackers boasted about installing ransomware across the M&S IT system and claimed to have stolen private data of millions of customers.

The email appears to have been sent using the account of a worker from Indian IT giant Tata Consultancy Services, which has provided IT services to M&S for over a decade. The London-based IT worker has an M&S email address but is a paid TCS employee who appears to have been hacked in the attack.

TCS has said it is investigating whether it was the gateway for the cyber-attack but told the BBC that the email was not sent from its system and that it has nothing to do with the breach at M&S.

Nearly three weeks after the initial hack, customers were informed by the company that their data may have been stolen. Customer personal data potentially included names, email addresses, postal addresses and dates of birth.

The cyber attack has severely disrupted M&S operations, with the retailer halting online orders and experiencing empty shelves. The company expects disruptions to continue until July, with the hack estimated to cost around £300 million.

M&S chairman Archie Norman said in the company’s annual report that the significant impact of the hack is likely to “endure for some weeks, or even months”. He added: “I am confident that in a year’s time the cyber incident will prove to have been a bump in the road along the path to growth, even if it does not feel like that today.”

The hackers’ email also referenced the company’s cyber-insurance policy, suggesting they had detailed knowledge of M&S’s systems. Machin has refused to say whether the company has paid a ransom to the hackers.

DragonForce has also claimed responsibility for a cyber-attack on Co-op, with both hacks beginning in late April causing significant disruption to the retailers.