The Social Engineering Attack that Brought a Large Retailer
to its Knees
Key Lessons from the M&S Ransomware Attack
In May this year, Marks & Spencer—an iconic British retailer—suffered a cyberattack that exposed the personal data of over 9 million customers and employees and disrupted core business operations, with store closures impacting thousands of shoppers throughout the UK and Ireland.
The cost to the retailer to date is purported to be in excess of 20 million pound. Share prices fell and consumer confidence is at an all time low, with many stores remaining closed for a significant period of time.
The implications reach far beyond one company, however, sending a clear signal to an entire sector still lagging behind on cybersecurity readiness. The attack serves as a stark reminder of the vulnerabilities within the retail sector – but could just as easily apply to any sector.
So how did it happen – and who did it?
No complex hacking techniques here – this was a good old-fashioned “walk in through the front door” social engineering attack! The threat actors were able to get access by simply posing as an employee and calling the M&S help desk, asking to reset the employee's password.
Attributed to the Scattered Spider group, whose specialities include social engineering – which is reported to be the method used. The breach has had profound implications, not only for M&S but for the industry at large.
Why Retailers Should Be Alarmed!
The M&S incident isn't isolated - there have been other retailers targeted recently, which points to a broader trend. The retail sector is now firmly in the crosshairs of sophisticated cybercriminals – and they are far from adequately armed!
What are retailers such an Attractive Target?
Retailers are quickly becoming an attractive target – why? Because they handle vast amounts of personal data from consumers while often lacking appropriate controls to secure that data.
They use a lot of third-party platforms, such as Point of Sale, logistics and inventory – and many rely on outdated tech with limited cybersecurity oversight.
Employee Awareness is very often lacking, and education has traditionally been a low priority. A key indication of this is the role it played in the M&S attack, and the need to address what is a gaping hole in the Cyber Security of many retailers. Technical solutions aside, the issue of User Security needs to be urgently addressed – however, to be fair, this can be said for most businesses!
Strengthening Cybersecurity in the Retail Sector – what action is required to address the shortcomings?
To bolster their Cyber defences, retail companies should consider the following actions:
- Implement Third-Party Risk Management: Implement stringent cybersecurity protocols for all partners and suppliers. A platform to help manage this would be the simplest option, with all supply chain security managed via a single dashboard.
- Invest in Employee Training & Awareness: Keep Security front of mind by regularly educating staff on cybersecurity best practices and phishing awareness. Individuals are still the weakest link in any organisation, so awareness is essential!
- Re-Assess their Cyber Security Strategy to incorporate a “defence-in-depth” approach and include detection and response tools in their tech stack. These should include strong authentication, EDR, NDR, mobile, Cloud, IoT devices and Credential Theft Monitoring, as well as Ransomware detection tools. Detection and response tools allow you to initiate containment early, minimising impact on operations, brand reputation and Customer trust.
- Develop a More Robust Cyber Resiliency Plan: If the worst should happen, how quickly can you restore operations? While it is prudent to do everything you can to prevent an attack – it’s equally important to plan for what comes after the worst happens. Develop Incident Response Plans – and test them with simulations and training regularly!