Hands up if you’ve had a cyber attack.

The first arrests have been made following the highly damaging cyber attacks on Marks and Spencer and the Co-Op, leading retailers in the UK. Harrods were also impacted, but have said little about the nature of the attack.

This has led to M&S’s Chairman, Archie Norman to suggest that the UK’s National Crime Agency did not have the resources to deal with the threat from hackers. This may or may not be the case but, to be fair, the arrests have been swift. Also, the UK’s security services, in the form of the National Cyber Security Centre (NCSC), will certainly have been working with M&S from an early stage, helping co-ordinate the investigation and response efforts and also providing tailored technical advice and guidance.

Norman also called for more mandatory reporting of cyberattacks and claimed that there were two other hacks of large companies in the past four months that went unreported. Let’s look at this a little more closely. In the UK there is a legal obligation to report the loss of personal data to the Information Commissioner’s Office within 72 hours. There is also a requirement to notify the Office of Financial Sanctions Implementation if a payment has been made to an attacker and an organisation has grounds to believe that the recipient may be subject to sanctions. Guidance from the UK Government then advises organisations to report attacks to the NCSC and also Action Fraud - an reporting service run by the City of London Police that acts as a central point of contact for information about fraud and financially motivated internet crime. There is no legal obligation to report to NCSC or Action Fraud, though there is potentially an ethical obligation for leading organisations to support efforts to reduce crime. 

But what about going public? There’s clearly a need to issue a media statement if your customers can’t do something today that they could do yesterday, such as place orders online. You probably also have an ethical obligation to go public if your customers’ data has been compromised, particularly if they need to change passwords on their accounts or take other steps to mitigate potential loss. The website I use for sports betting, Betfair, recently emailed to inform me that some access information, including “username, email address and some contact information” had been compromised in an incident, but not my password (though to be fair, with my lamentable betting record lately I’m not sure a criminal could do not a better job of emptying my account than I have).

After the Harrods attack the organisation issued a statement that probably reassured customers, but provided little detail. ”We recently experienced attempts to gain unauthorised access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.” So they did go public, but gave little away.

The Cyber Security Breaches Survey 2024 released by the Department of Science Innovation and Technology reported that fewer than half of UK organisations who had suffered a cyber attack reported it through official channels, which suggests they almost certainly didn’t go public either.

So, we are in a world where many organisations fail to report a cyber attack to the authorities and some, but not all, go public. It’s time for more consistency.