It has been a difficult month for retail, as media outlets reported attacks on two retail businesses, and an attempted attack on another. A previous article explored the practical lessons from the Marks and Spencer’s (M&S) cyber attack, including considerations for identity verification. This article builds on those lessons with additional considerations around risk management and incident response.
What happened
Over the Easter weekend, customers in M&S stores were unable to make contactless payments and click and collect services were unavailable. This was followed by weeks of reduced product availability as M&S store shelves remained empty and customers were unable to order products online. M&S later confirmed that the attackers had taken customer and employee data including names and email addresses, although bank account data had not been taken.
It is estimated that the attack will cost M&S £300m including lost revenue from online orders and food sales, and current reports indicate that online services are likely to be disrupted until July.
This attack happened against the backdrop of good company performance, with the company announcing a 22% growth in profit before tax. M&S has been going through a digital and wider transformation, and the positive performance is likely to be hampered by this attack, both from a financial and reputational perspective.
Is the retail sector a target for cyber attacks?
While all the details of the attack are not yet available, M&S chief executive Stuart Machin has described the attack as “highly sophisticated and targeted”. The hackers also attacked Co-op and attempted to attack Harrods, indicating a clear focus on the retail sector.
The motive for the attack remains unclear, but it is widely believed to be the work of a group of English-speaking hackers known as Scattered Spider. This is a loose collective of hackers in their early teens to late twenties, based in the UK, Western Europe and the US. They are known to prefer social engineering techniques (such as sending malicious emails encouraging recipients to click on a link, or getting users to change their password) to get into systems.
Many retail businesses have traditionally not seen themselves as key targets for cyber attacks; in fact this year’s Cyber security breaches survey showed that businesses in the retail or wholesale sector tended to regard cyber security as a lower priority than those in other sectors, with 44% saying it was a low priority.
In today’s world, most retail businesses hold confidential customer, employee and supplier personal data. Such data is attractive to attackers, as they can steal it and demand ransom payments to stop them revealing it.
Because the Scattered Spider group is loosely connected, its members have diverse and varied motivations for attacks, including monetary gain, making a statement, or doing it purely for the challenge. This means any business could be a target – every business is vulnerable and should therefore consider cyber risk when assessing their risk exposure.
Supply chains continue to be vulnerable
It is believed that the hackers gained access to M&S systems through a third-party supplier – potentially one that is also used by the other retailers that were attacked. Supply chain security has long been a growing area of concern for cyber security and this attack reinforces the need to prioritise supply chain cyber security.
While there have been many significant cyber-security incidents stemming from organisational supply chains, including the NHS and MoveIT attacks, the risk remains largely unaddressed. The Cyber security breaches survey reports that only 14% of businesses reviewed the risks posed by their immediate suppliers and under one in ten (7%) were looking at their wider supply chain.
Part of this may be due to the complexity of supply chains, and the resources required to assess and monitor suppliers’ cyber-security arrangements. However, organisations can begin by doing their best to comprehensively identify their suppliers, and risk assess and prioritise them so that they can focus resources on the highest risk suppliers. Supplier access to systems remains a key consideration and organisations should implement strong access controls for both internal and external users. The National Cyber Security Centre (NCSC) has provided Supply chain security guidance to help organisations establish control and oversight of their supply chains.
Ransomware – to pay or not to pay
It is widely believed that the M&S attack was a ransomware attack. According to the NCSC’s Annual Review 2024, ransomware “remains one of the most pervasive cyber threats to UK organisations”. Such attacks can involve not only prevention of access to systems and/or data, but also the stealing of data. Ransomware is also becoming increasingly easy to conduct as many services and tools become available to support attackers; in the M&S case, the attacks were carried out using a platform known as DragonForce.
A 2022 report into ransomware found that 82% of British businesses who were victims of ransomware attacks paid the hackers to get back their data. It is not known whether M&S made any ransomware payments.
The UK Home Office consulted on legislative proposals on ransomware earlier in the year, which looked to introduce three key interventions: a targeted ban on ransomware payments for critical national infrastructure (CNI) and the public sector; a ransomware payment prevention regime; and an incident reporting regime.
Under the proposals, the ban would probably not have applied to M&S, although there was the possibility of including public sector suppliers within its scope. This may have affected M&S if it provides goods and other services to the public sector.
The ransomware payment prevention regime would also have required M&S (if not subject to the ban and if they decided to make a payment) to engage with the authorities and report its intention to make a payment before doing so.
There would also have been a mandatory reporting requirement, with an initial report to be provided within 72 hours of the incident and a more detailed full report within 28 days of the incident. Given the amount of time and effort required to investigate and address an attack, many businesses we have spoken to have expressed concern about diverting internal resources from focusing on response to creating the required detailed report.
A tested cyber-security incident response plan
M&S has, on the whole, been applauded for its response to the attack, particularly its handling of external communications. Machin stated that the organisation had run a cyber-attack simulation last year and was able to respond “quickly and take the right actions immediately”, including knowing “who to call and how to put the business continuity plan into action”.
This demonstrates the importance of businesses not only having a solid response plan, but testing it regularly so that the organisation is prepared for when – not if – an incident occurs. The cyber-security incident plan should be part of a wider business continuity plan, considering the impact of a cyber incident on the business and defining steps to recover and respond.
Although this article has covered risk management, supply chain and incident response, effective cyber security is about getting all the basics right. The NCSC’s 10 Steps to Cyber Security provides a useful overview of the key activities to focus on.
Want to learn more about cyber security?
Visit the ICAEW cyber security webpages.
Got an interesting cyber story for us? Email techfac@icaew.com