While the company stays tight-lipped on the details, M&S is continuing to suffer major disruption from what appears to be a serious ransomware attack.
Marks and Spencer is still dealing with a serious cybersecurity incident that has seen its online sales halted, share price tumble and staff reportedly being sent home from warehouses. While the company itself is saying little, it has apologised to its customers and last week notified the London Stock exchange of the incident.
One leading global authority on cyber security described this as “a pretty bad episode of ransomware”, saying the consequences for the organisation are serious. Ciaran Martin, founder of the UK’s National Cyber Security Centre, and its first CEO, was speaking to BBC 4’s Today programme this morning. Today he is professor of practice at Oxford University’s Blavatnik School of Government. He identified the attack as a serious one where the company is locked out of its data, resulting in key parts of the organisation being unable to function.
“This is the more disruptive type [of ransomware] that has a real impact on what an organisation is able to do,” he said. “That’s why we’ve had nearly a week of no online orders and warehouse staff sent home, and logistics problems and so forth. This is a highly, highly disruptive event and a very difficult one for them to deal with.”
According to BleepingComputer, the ongoing outages are caused by a ransomware attack, using Scattered Spider tactics, that encrypted the company’s servers, and may have breached the M&S servers as early as February of this year, reportedly stealing the Windows domain’s NTDS.dit file (the main database for Active Directory Services running on a Windows domain controller), allowing it to ultimately steal passwords for Windows accounts, and spread through the Windows domain stealing data from networks and servers.
BleepingComputer cites sources saying Marks and Spencer asked for help from CrowdStrike, Microsoft, and Fenix24 to investigate and respond to the attack, which an investigation shows is linked to Scattered Spider (also known as Octo Tempest) tactics.
Cybersecurity firm Silent Push had flagged in March that Scattered Spider was still actively hunting for victims, and it identified services targeted as including major players like Forbes, Instacart, Louis Vuitton and Nike.
“Silent Push researchers are tracking five unique Scattered Spider phishing kits, which have been used since at least 2023,” said the Silent Push report. “Some of these kits have seen several updates, alongside dozens of their code fingerprints and technical deployment decisions. Right now, it appears their legacy phishing kits are being deprecated.”
It is a real wake up call for other UK and European retailers, Martin said. “Cybersecurity is attritional. This happens all the time. The UK, in terms of big corporates, has had it relatively lightly from ransomware compared to the US, where it’s almost ubiquitous and rampant. So I think this is a reminder that this is the principal threat to big private companies from cybercrime.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
