M&S hackers are reported to have sent an abusive email directly to the retailer’s CEO and seven other executives demanding payment and gloating over the cyberattack.
The extortion email was sent on 23 April by the hacker group Dragon Force, and included a darknet link to a portal for ransomware victims to negotiate payment, according to the BBC.
“We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers,” the email said.
“The dragon wants to speak to you so please head over to [our darknet website].”
“Let’s get the party started. Message us, we will make this fast and easy for us”.
The hackers are also said to have boasted of stealing the private data of millions of customers, nearly three weeks before M&S informed customers their details had been accessed.
It appears to have been sent from an M&S email address held by an employee of the retailer’s IT services provider Tata Consultancy Services (TCS), according to the BBC.
Stuart Machin said last month that hackers used “social engineering” in the attack, and gained access to systems as a result of “human error” by a “third party”.
An M&S spokesperson said today: “We cannot comment on details of or speculation on the cyber incident, and we have been advised not to.”
The Grocer has approached TCS for comment. The company has reportedly said the email seen by the BBC was not sent from its system and that it has nothing to do with the breach at M&S.
The Financial Times reported in May that TCS was investigating internally whether it was the gateway for the attack, and hoped to conclude the probe by the end of the month.
Dragon Force has also been linked to the cyberattack on the Co-op, which unfolded days after the attack on M&S in late April.
Harrods was also hit by a cyberattack at around the same time.
The email from hackers to M&S warned: “We’re putting UK retailers on the Blacklist.”
Co-op CEO Shirine Khoury-Haq said this week that systems were now “stable”, while M&S has estimated online orders of clothing and home will be unavailable until July, wiping £300m from its annual profits.
The recent attacks have also been linked to Scattered Spider, a loose collective of hackers, some based in the UK and US, who are known to use social engineering techniques to trick employees into proving log-in details.
Dragon Force allows cyber-criminals to use its ransomware and agrees to pay them a cut of any ransom payment.
Early reports from Bleeping Computer in the wake of the M&S attack suggested Scattered Spider deployed Dragon Force’s ransomware after gaining access to the retailer’s systems.
M&S is also facing the threat of class action data lawsuits from customers affected by the breach, which the retailer has said included dates of birth, ‘household information’ and telephone numbers, but not useable card payment details. A law firm promising M&S customers compensation over the data breach last week told The Grocer it had signed up more than 300 claimants, a week after going public with the action.
No comments yet