Are you a client?
Sign in to view the full news archive.
The recent bout of cyber-attacks targeting retailers M&S, Co-op and Harrods surely has many organisations in the industry (and elsewhere) looking over their shoulder, wondering who will be next in the crosshairs. The initial attack on the M&S caused huge disruption to online orders, contactless payments, Click & Collect services and caused delivery delays with some stores left with empty food shelves. (See - M&S cyber breach linked to Scattered Spider ransomware)
Co-op was attacked but a few days later, and while it has taken some time for more details to come to light, it turns out things were worse than the retailer initially led people to believe. Co-op initially said that it had taken "proactive measures" to fend off hackers and that it was only having a "small impact" on its operations, with "no evidence that customer data was compromised".
However, hackers contacted the BBC with proof they had infiltrated IT networks and stolen huge amounts of customer and employee data (reportedly private information of 20m people who signed up to Co-op's membership scheme). The Co-op then confirmed on Friday that the hackers "accessed data relating to a significant number of our current and past members". The cyber criminals are believed to be the same Scattered Spider community who attacked the M&S, acting as affiliates for the DragonForce ransomware operation.
Co-op staff were also urged to keep their cameras on during Teams meetings, ordered not to record or transcribe calls, and to verify that all participants were genuine Co-op staff. The security measure appears to be a direct result of the hackers having access to internal Teams chats and calls, which is a particularly concerning development.
The threat actors appear to have utilised similar tactics to the attack on M&S, reportedly conducted a social engineering attack that allowed them to reset an employee's password, with hackers impersonating employees while contacting the retailers' IT help desks. Access was then used to breach the network and steal the Windows NTDS.dit file that contains password hashes for Windows accounts. Co-op is now in the process of rebuilding all of its Windows domain controllers and hardening Entra ID with the help of Microsoft DART. KPMG is assisting with AWS support.
Such cyber attacks continue to put more pressure on organisations to harden their defences, especially when it comes to identity-based attacks. Breaches like we have seen at the M&S and Co-op are not the result of advanced network intrusions, but frankly rather basic social engineering. Organisations need to invest as much (if not more) into cybersecurity as they are into AI right now, in particular in strengthening identity verification controls (such as MFA, passkeys and zero-trust controls).
Posted by: Simon Baxter at 09:51