Enduring impact in retail

In last month’s round-up, we covered more emerging details on the major retail hacks on M&S, Co-op and Harrods that took place earlier this year. This month, we’re still seeing the fallout from the attacks. Archie Norman, Chairman of M&S, appeared before MPs to talk about the impact of the cyber attack, which has led to an estimated loss of £300m. Meanwhile, the CEO of Co-op has issued an apology regarding its recent hack, which resulted in a data breach estimated to have affected all 6.5 million Co-op members. The stolen information includes names, addresses and contact details of members. Both high-profile incidents are believed to have been coordinated by the cybercriminal group known as ‘Scattered Spider’. In latest updates, four individuals have been arrested in connection with these attacks on M&S, as well as Co-op.

During his appearance before MPs, Norman did not elaborate on the company’s interactions with the threat actors or disclose whether any ransom had been paid. However, he did confirm that M&S had promptly reported the cyber attack to the National Cyber Security Centre (NCSC). Norman also commented that mandatory reporting of cyber attacks was a valuable consideration, especially in light of the frequency with which many cyber incidents remain unreported. He further mentioned that they were aware of two other major British companies that had experienced similar attacks, but had not reported them.

Reporting cyber incidents to the NCSC or any other regulatory body is not currently a mandatory requirement in the UK – although it is important to note here that under GDPR any incidents that have resulted in the breach of personal data in the UK do need to be reported to the Information Commissioner’s Office (ICO). By contrast, under Public Company Accounting Oversight Board (PCAOB) requirements in the US, registered firms are required to promptly report significant cyber-security incidents to the PCAOB, albeit on a confidential basis. This is important to note as it may be worth considering if a similar approach to cyber incidents could benefit the UK in the future.

A key takeaway from these incidents is the vital role individuals within organisations play in upholding good cyber-security practice, for example by correctly reporting phishing emails and prioritising keeping their credentials secure. In response, the NCSC has recently released its Cyber Security Culture Principles to assist organisations in building a strong and resilient cyber-security environment.

If you want to learn more about these cyber incidents and what they mean for you as an accountant or key stakeholder in a firm or business, we explored the detail in this ICAEW webinar, available on demand.

The cost of data breaches

Qantas has revealed that the data of approximately six million customers was compromised by cybercriminals earlier this month. The breach occurred when the airline’s IT call centre was targeted, allowing hackers to use social engineering techniques to access a third-party system and subsequently obtain the airline’s data. This incident highlights the persistent threat of social engineering, which is often directed at the weakest links within the supply chain.

Similarly, earlier this month luxury retailer Louis Vuitton disclosed that customer data in the UK was stolen when cybercriminals gained access to its operational systems. The information obtained included names, contact details and purchase history. This incident has subsequently affected other areas of the business, including operations in Korea and additional brands within the LMVH group, such as Christian Dior Couture. It has been confirmed that Louis Vuitton has reported the breach to the ICO.

The ICO recently fined genetic testing company 23andMe £2.31m for failing to protect the personal data of customers in the UK. In 2023, it emerged that cybercriminals were able to access highly sensitive information such as names, dates of birth, postcodes, race, ethnicity and health reports of customers from 23andMe using compromised login credentials. The ICO reiterated that companies that collect and use personal information have a legal duty to keep the information secure. The NCSC has also released more guidance on how to use password managers and passkeys to keep your credentials secure and protect your information online.

Later this month it was also revealed that a vulnerability in Microsoft’s on-premises SharePoint servers has allowed Chinese threat actors to bypass authentication and access sensitive data of businesses using these servers. In response to this, Microsoft has released security updates and steps to mitigate any potential attacks as a result of this vulnerability.

The AI and cyber overlap

McDonald’s new artificial intelligence (AI) hiring chatbot, which is designed to collect details from applicants including contact information and their CVs, exposed approximately 64 million records containing their personal data. Security researchers discovered the breach after determining that the administrator account credentials were simply ‘12345’, enabling them to access the records and underlying data maintained by the chatbot. Paradox.ai, the chatbot’s underlying service provider, has since suggested it has addressed these security deficiencies.

There have been lots of reports of AI being used to create deepfakes and facilitate enhanced phishing attacks, this time targeting politicians in the US. In a recent incident, hackers impersonated politician Marco Rubio and sent targeted messages in attempts to gain access to confidential accounts and information.

But it’s not all bad news. AI is increasingly being applied to develop solutions for addressing cyber attacks and improving cyber security. For example, organisations have been developing AI-driven threat detection and response systems that are capable of analysing large volumes of data to identify patterns and anomalies related to cyber threats. Similar methods are being used to strengthen email security, with application programming interfaces that can detect subtle patterns and anomalies in emails to identify potentially malicious messages. Large organisations, such as Microsoft, have also introduced commercial security copilots that are powered by AI to assist in the analysis and investigation of threats.

Want to learn more about cyber security?

Visit the ICAEW cyber-security webpages. Or email techfac@icaew.com with your cyber stories.