The chairman of U.K. retail giant Marks & Spencer declined to tell a panel of lawmakers whether the company paid a hacking group following a ransomware attack earlier this year.  

“We’ve said that we are not discussing any of the details of our interaction with the threat actor,” said chairman Archie Norman, referring to the ransom payment. “We don’t think it’s in the public interest to go into that subject partly because it is a matter of law enforcement.”

Norman said that “nobody” at Marks & Spencer interacted directly with the cybercriminals, which he attributed to the ransomware gang DragonForce.

In May, Marks & Spencer disclosed that hackers had stolen an unspecified amount of customer data, including names, dates of birth, home and email addresses, phone numbers, household information, and online order histories. The breach also disrupted operations for weeks, leaving shelves empty, and customers unable to order online.

Norman told lawmakers that the company is still dealing with recovery efforts and will continue to do so until October or November.