Retailing giant Marks & Spencer's Chairman discloses ransomware incident, hesitates to verify if ransom was paid.
Marks & Spencer Suffers Ransomware Attack: A Detailed Account
Marks & Spencer (M&S) has been the latest victim in a series of high-profile cyber-attacks targeting large British companies. The ransomware attack, which occurred in April, was perpetrated by the Scattered Spider hacking collective, according to reports.
The attack on M&S's systems was a sophisticated social engineering attack, involving a third party, and is suspected to be linked to the hacker collective "Lapsus$". M&S chairman Archie Norman described dealing with the attack as unprecedented.
M&S has a large number of legacy systems, making segmentation difficult. As a result, large swathes of the retailer's systems had to be shut down to prevent further lateral movement, affecting online shopping significantly.
Interestingly, M&S was not contacted by the attackers until a week after initial access was achieved. The retailer chose not to communicate directly with the attackers, instead relying on professional intermediaries.
The number of M&S employees and contractors working on their systems is approximately 50,000. Reports suggest Scattered Spider leveraged compromised credentials from Tata Consultancy Services (TCS) to infiltrate M&S.
Meanwhile, the Co-op, another major British retailer, was also targeted. The Co-op was not aware of the M&S attack when attackers first accessed its systems, but subsequently shared information via the National Cyber Security Centre (NCSC).
The Co-op was able to limit the effects of the cyber attack as its systems were heavily segmented. Attackers were able to access member information during the time they were in the Co-op's system, but this was limited to names, addresses, and dates of birth. Crucially, the Co-op's online business and retail stores' payment systems were not part of the attack.
Norman stated that there are reasons to believe that two major cyber-attacks on two large British companies in the last four months have gone unreported in the UK. He expressed support for mandatory reporting of "material" cybersecurity incidents.
Attacker demands were often communicated through media channels, most commonly the BBC. The attack was a ransom and extortion attempt, but it is unclear whether any ransom was paid.
As M&S continues to bring its systems back up securely, the retail sector remains on high alert for further cyber threats. The NCSC has urged all businesses to review their cybersecurity measures and remain vigilant against such attacks.
