The cyberattack that derailed Marks and Spencer Group Plc’s operations for weeks was the result of a "sophisticated impersonation” of one of the retailer’s third-party users, according to chairman Archie Norman.

The hackers entered M&S’s systems on April 17 and the company detected them two days later, Norman told members of the UK Parliament’s business and trade committee Tuesday. That triggered a "traumatic” period, with the cyber team getting barely any sleep as they grappled with the fallout, he said.

"It’s fair to say that everybody at M&S experienced it,” he said. "We’re still in the rebuild mode and will be for some time to come,” though things would return to normal for customers by the end of this month, Norman added.

A cybercrime gang known as "DragonForce” claimed it carried out the attack on M&S, which the retailer has estimated will deal a £300mil (RM1.72bil) blow to operating profit. Its shares are down over 15% since April 22, when M&S first announced it had been dealing with a cyberattack for several days.

Norman declined to say whether M&S had paid a ransom, saying it was a matter for law enforcement and that M&S was working with the National Crime Agency. "We don’t think it’s in the public interest to go into that subject,” he said. 

The retailer has also been working with the UK’s National Cyber Security Centre and other authorities, and has been in contact with the FBI in the US, Norman said. "It’s understandable that the FBI are more muscled up in this zone – 60% of all cyberattacks reportedly happen in America anyway,” he said.

M&S expects to "receive some substantial recovery” from an insurance claim, though Norman said the process could take 18 months. 

The retailer was one of several businesses targeted by cyberattacks in April, including the Co-op Group supermarket and luxury department store Harrods.

In the same parliamentary hearing, Co-op said the attack it faced also involved hackers impersonating an employee, by answering security questions to trigger an account reset. Chief Digital Information Officer Rob Elsey told MPs the malicious activity occurred about an hour after they gained access.  – Bloomberg