Marks & Spencer (M&S) has confirmed a Cybernews report that Scattered Spider hackers were able to infiltrate the UK retailer’s networks by phishing employees of a third-party vendor and stealing their login credentials. This is as unnamed sources on Tuesday identified Tata Consulting Services (TCS) as that vendor.
M&S Chief Executive Stuart Machin, who did not flat-out identify TCS as the supply chain’s weak link, said that the hackers broke into its systems by tricking employees at a third-party contractor.
"Unable to get into our systems by breaking through our digital defences, the attackers did try another route, resorting to social engineering and entering through a third party rather than a system weakness," Machin told reporters on Wednesday.
"Once access was gained, they used highly sophisticated techniques as part of the attack," Machin said, which, according to reports, included impersonating the employees and resetting their passwords.
On Monday, inside sources alleged “that at least two Tata Consultancy Services employees’ M&S logins were used as part of the breach,” reported Reuters.
Widespread disruption unleashed on UK retail sector
Since the M&S Easter weekend breach was first reported to the UK National Security Centre (NSC) on April 22nd, the UK retail sector has been pummeled by multiple cyberattacks, including major breaches at Harrods, Co-op, and now Peter Green Chilled, a third-party tech vendor for Tesco brands, announced just two days ago.
Cybernews has since discovered that TCS, a global technology provider and business consulting firm based in Mumbai, India, just happens to be the strategic business partner of not only M&S, but also food retailers Co-op, Tesco, Sainsbury’s, and Aldi.
Siân John, Chief Technology Officer (CTO) at cybersecurity consulting firm NCC Group, said, “By infiltrating the logistics firm relied upon by suppliers to major UK supermarkets, cyber criminals are effectively exploiting a back door to unleash widespread disruption.”
“It’s easy to focus on internal systems and believe your business is secure. But the reality is that a single vulnerability in your supply chain can cascade across the entire network, bringing operations to a standstill," John said.
The CTO further explained, "As retailers ramp up their own cyber defences, hackers will be looking to capitalize on the chaos to conduct further attacks. One weak spot that so often gets overlooked is the supply chain.”
M&S recovery still months away
Machin, M&S CEO since 2022, said the company’s IT team first became aware of the breach after spotting suspicious activity inside its network systems, stating that the time between the hackers gaining access and detection was "short."
As for a possible ransom demand imposed by the threat actors, Machin said he was unable to comment as per instructions by government agencies and law enforcement.
The London-based retail giant also revealed on Wednesday that it is now looking at June or July before systems will be fully restored, alerting customers to expect continued online disruptions, including with its click-to-pay option.
"This incident is a bump in the road, and we will come out of this in better shape, and continue our plan to reshape M&S for customers, colleagues, and shareholders," Machin said on Wednesday.
John said the security of any organization is only as strong as its most vulnerable suppliers, pointing out that the recent breaches prove "cyber resilience now demands a broader view - one that includes suppliers, partners, and service providers across multiple sectors and borders."
Still, the NCC technology chief reminds Cybernews readers that the threat landscape is constantly evolving, and supply chain attacks will only grow in sophistication. "There’s no silver bullet and securing the supply chain requires a layered, proactive approach,” he said.
“Organizations must start by acknowledging the scale of the threat. That means investing in a robust cybersecurity strategy that includes not only enhanced monitoring and response capabilities, but also higher standards of supplier assurance, regular audits, and ongoing training for both staff and partners," John said.
Meanwhile, M&S shoppers have also borne the brunt of the impact as millions of customer data such as names, dates of birth, contact details, and online purchase histories were reported stolen by the hackers in an announcement released last week, although M&S stressed that no payment details, bank card information, or account passwords were taken.
The UK retailer announced it was forced to suspend all online sales transactions while mitigation takes place, leaving customers vulnerable to their own phishing attacks.
In a post from Wednesday on his LinkedIn page, Machin further spoke about the financial health of Marks & Spencer, which has suffered an estimated $400 million setback due to the now month-long attack.
“We will continue our plan to invest in our key growth areas: store rotation, supply chain and technology,” he wrote, citing last year’s Capital Markets Day outline.
“I would like to thank all of our colleagues and supplier partners for their hard work and dedication and, importantly thank our customers. They have been unwavering in their support, and we are incredibly grateful for their patience and trust in M&S,” he concluded.
Scattered Spider chaos
The Scattered Spider ransomware group – reportedly now under investigation by the British Crime Agency – has directly claimed responsibility for the M&S, Harrods, and Co-op attacks, but so far, has not been linked to the Peter Green Chilled incident.
The group is known for carrying out the infamous attacks on the MGM and Caesars casino and resorts in Las Vegas through a similar IT help desk scam in 2023.
Like many other cybercriminal collectives, Scattered Spider members often try spear-phishing attacks to convince specific targets to visit a malicious web page and enter their user credentials, said Carlos Perez, research practice lead at TrustedSec.
“Once they have a credential or are able to steal tokens, they have shown proficiency in pivoting and abusing cloud infrastructure,” Perez told Cybernews.
The gang is also known to go after access tokens and one-time passwords (OTPs) to bypass authentication and penetrate targeted devices. Security experts say once Scattered Spider has breached a network, it wastes no time, quickly stealing data or installing ransomware.
M&S has boosted its defences by tripling its tech spending in the last three years, Machin said on Wednesday. He also noted that as part of the slow and steady recovery process, M&S security teams have proactively scanned at least 600 systems before bringing them back online.
Your email address will not be published. Required fields are markedmarked