The Attack On M&S Reverberates Three Weeks Later

Uploaded on 2025-05-13 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

The chaotic problems at British retail giant Marks & Spencer (M&S) are being caused by a ransomware attack believed to be conducted by threat actors known as Scattered Spider.  

M&S is a British multinational retailer that employs 64,000 employees and sells various products, including clothing, food, and home goods in over 1,400 stores worldwide. The retailer is dealing with some major issues, with empty shelves not replenished and delays to its online shopping services.

Now, M&S have disclosed that customers’ personal data has been taken and must comply with the legal requirement to report this to the UK Information Commissioner's Office (ICO) under the 2018 UK Data Protection Act.

M&S's assessment that customers don't need to take immediate action is based on the critical fact that payment details and passwords were not compromised, which does significantly reduce the most severe and immediate financial risks however, after any cyber incident it is important to remain alert after any data breach. Here are some simple tips to maintain security - 

  • Remain Alert of suspicious communications: Be extra cautious of any emails, calls, or texts claiming to be from people associated with M&S or other companies, especially if they ask for personal or financial information, or contain links you're unsure about. 
  • Use strong, unique passwords: consider changing passwords immediately to maintain secure access, it is good practice to use unique and strong passwords for all your online accounts. If you've reused your M&S password on other sites, consider changing them all also. 
  • Enable Two-Factor Authentication (2FA): If the option is available always apply 2FA for your accounts. This adds an extra layer of security and makes it harder for attackers to gain access to sensitive systems 
  • Monitor your accounts: Keep an eye on your online accounts for anything unusual. 

Scattered Spider is known for its ability to target large multisite companies and breaching their data. Since the attack commenced last weekend M&S has lost more than £700 million, wiped off its stock market valuation.

Shoppers are still able to browse online and shop in M&S’s physical stores using cash or cards, but some major problems continue in stores, with gift cards not currently being accepted. Returning goods is only possible in clothing and homeware stores or via post. Food stores are not currently able to accept returns.

In expert comment, Chief Security Officer & EVP Information Security, Tim Grieveson at ThingsRecon said "It is noted that M&S is indicating a lower risk due to the exclusion of sensitive financial and password data, however in my opinion it does not mean that customers are not at risk even when these specific details are not compromised. As we know, these scams are on the rise and might try to convince customers into revealing passwords, financial details, or clicking on malicious links. Email addresses and other contact information could also be sold to spammers or other malicious actors, leading to an increase in unsolicited emails, calls, or texts.   

"M&S has stated that customers will be prompted to reset their password the next time they log in as an "extra peace of mind" measure. While this isn't a direct result of passwords being stolen, it's a good security practice to ensure existing credentials aren't compromised by other means or used in credential stuffing attacks where attackers try stolen username/password combinations from other breaches on your M&S account”. 

Scattered Spider, also known as 0ktapus, Starfraud, Scatter Swine and Muddled Libra is a classification of threat actors that are adept at using social engineering attacks, phishing, multi-factor authentication (MFA) bombing (targeted MFA fatigue), and SIM swapping to gain initial network access on large organisations.

Scattered Spider members have typically engaged in data theft for extortion and have been known to use BlackCat ransomware.

This hacking group includes young members as young as 16 and is based in the UK and US, with a range of skills and the group began hacking in financial fraud and social media but now steals crypto-currency and hacks company data in extortion attacks. Some Scattered Spider members are thought to be part of The Comm, a group involved in high-profile cyber incidents and they use of different individuals for each attack make them difficult to track.

One of Scattered Spider's biggest exploits was at the gaming giant MGM Resorts International in September 2023, when guests reported difficulty accessing rooms and using casino games. MGM operates over 30 hotel and gaming venues around the world was alerted to a potential hack when Scattered Spider brought MGM systems to a halt after they gained access to the company's management systems and were able deploy ransomware.

In that exploit, MGM confirmed that some customers personal data was stolen, including names, dates of birth and driving license numbers. In some cases, social security numbers and passport numbers were also involved. 

In the latest exploit against M&S, Grievson concludes that "While the risk is indeed lower than a breach involving payment or password details, it's not entirely absent. Staying informed and practicing good online security habits is always the best defence as well as staying alert and practicing good digital hygiene." 

ITV   |   Bleeping Computer   |   Drapers   |   The Times   |  Guardian  |   BBC 

Image: Ideogram

You Might Also Read:

CISOs Guide To Compliance & Cyber Hygiene:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 






 

« Five Top-Rated Threat Intelligence Platforms
Co-op Shuts Down IT Systems After Attempted Hack »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

British Insurance Brokers’ Association (BIBA)

British Insurance Brokers’ Association (BIBA)

BIBA is the UK’s leading general insurance intermediary organisation. Use the ‘Find Insurance‘ section of the BIBA website to find providers of cyber risk insurance in the UK.

Cyber Secure Forum

Cyber Secure Forum

The Cyber Secure Forum is a premier cybersecurity event dedicated to bringing together experts, and professionals to explore the latest trends, share knowledge, and discuss strategies.

Cyber Command

Cyber Command

Our Managed IT service allows clients to offload the management of day-to-day computer, server, and networking support to our team of professionals.

AMETIC

AMETIC

AMETIC, is the Association of Electronics, Information and Communications Technologies, Telecommunications and Digital Content Companies in Spain.

Crossword Cybersecurity

Crossword Cybersecurity

We work with research intensive European university partners to identify promising cyber security intellectual property from research that meets emerging real-world challenges.

Resolver

Resolver

Resolver’s Integrated Risk Management platform helps plan and prepare your organization to limit the likeliness or impact of security risk and compliance events from occurring.

WetStone Technologies

WetStone Technologies

WetStone develops software solutions that support investigators and analysts engaged in eCrime Investigation, eForensics and incident response activities.

Future of Cyber Security Europe

Future of Cyber Security Europe

Future of Cyber Security Europe is a European wide event examining the latest cyber security strategies and technologies.

Ogasec

Ogasec

Ogasec is a cybersecurity company formed by the merger between Aker and N-Stalker in 2017. Solutions include Security & Connectivity Networking, Application Security, and Managed Security Services.

African Cyber Security

African Cyber Security

African Cyber Security and it's partners, have the expertise and skills to provide holistic solutions for companies, institutions and government.

BluBracket

BluBracket

BluBracket is the first comprehensive security solution that makes code safe—so developers can innovate and collaborate, and security teams can sleep at night.

Intellias

Intellias

Intellias is a trusted technology partner to top-tier organizations and digital natives helping them accelerate their pace of sustainable digitalization.

Stripe OLT

Stripe OLT

At Stripe OLT, we provide complete business technology solutions - Our team has an unrivalled reputation as a Microsoft Gold Partner, specialising in secure, cloud-first technology.

ImmuniWeb

ImmuniWeb

We Simplify, Accelerate and Reduce Costs of Security Testing, Protection and Compliance.

Xantaro

Xantaro

Xantaro specializes in technologies, software and services for Carriers, ISPs, Hosting and Cloud Providers as well as for Operators of Data Centres and Campus Networks.

Executive Operations (EXOP)

Executive Operations (EXOP)

Executive Operations provides 24/7 cyber security staffing - SOC support, compliance, IT help desk & app development. Save 60% with skilled English-speaking teams.