New information reveals Scattered Spider, the ransomware group responsible for the Marks & Spencer (M&S) cyberattack, allegedly gained access to the retailer's systems by using the login credentials of two employees from third-party vendor and business partner Tata Consultancy Services (TCS) – which also touts the recently breached Co-op as one of its clients.
The bombshell allegations, reported by Reuters on Monday, align with the UK National Security Centre’s (NSC) latest blog about hackers targeting the retail sector, including attacks on fellow giants Harrods and Co-op.
The source reportedly told the news agency “that at least two Tata Consultancy Services employees’ M&S logins were used as part of the breach,” which was first publicized on April 22nd.
Cybernews has reached out to Tata Consultancy Services for a comment, but has not heard back at the time of this report.
TCS provides technology to both retailers
Formed in 1968, the Mumbai-headquartered Tata Consultancy Services is a major global business strategist and IT technology solutions provider for a variety of industries, including retail, banking, insurance, manufacturing, and healthcare.
“TCS and M&S were recognised for their collaboration to build an in-house loyalty platform using the latest technology stack, an engineering-driven approach, and a cloud-first strategy to enhance customer experience,” the consulting firm said in a August 2023 press release announcing their win for Retail Partnership of the Year.
A top employer in six continents, according to its website, TCS has over 600,000 consultants in 55 countries, 180 service delivery centres worldwide, partnering with British Airways, and other UK powerhouse retailers Tesco, Sainsbury's, Primark, and Asda.
Ironically in February 2024, TCS happened to have announced a new partnership with Co-op, the British retail cooperative, to revamp its IT infrastructure and adopt a cloud first strategy.
And although the NSC said it is “not yet in a position to say if the attacks are linked” it did warn retailers the importance of “detecting threat actors” who are either on your network, in your cloud services, or “using your employees’ legitimate access.”
Mentioning Scattered Spider by name, the NSC acknowledged the ongoing speculation among security insiders whether "social engineering" is being used to target IT helpdesks, specifically, "by performing password and multi-factor authentication (MFA) resets – a technique that the group has been reported to use in the past," the UK cyber agency said.
Andrew Bud, Founder & CEO of iProov, a biometrics solutions firm, explains that when it comes to vendor risk management, “modern multi-factor authentication – which was supposed to prevent these sorts of attacks – often relies on things people know, like passwords, and code numbers sent to their phones.”
“By impersonating IT help desks, hackers convince employees to give them both these factors, he said, describing it as a “crucial weakness inherent in the current ways of authentication.”
M&S recovery highlights safety over speed
Attacks on Harrods and Co-op quickly followed those on M&S, leaving the UK retail sector reeling from systemwide shutdowns, customer data being stolen, thousands of cancelled online orders, and empty shelves across hundreds of stores.
Marks and Spencer is said to be still struggling to restore its systems nearly a month after the attack left its online ordering system in shambles and, in its latest website update, admitted that some customer data had been stolen in the attack, prompting a customer-wide password reset.
Customer data confirmed to have been compromised in the M&S cyberattack includes dates of birth, contact details, and online purchase histories, although M&S stressed that no payment details, bank card information, or account passwords were taken.
"For a retailer with deep digital dependencies and complex supply chains, full-service restoration can take days," said Aditya K. Sood, VP of Security Engineering and AI Strategy at Aryaka.
“Critical systems, such as payment platforms, inventory management, and remote work infrastructure, are deeply interdependent,” Sood explained, adding that “an expanded digital footprint resulting from online retail, remote working, third-party services, and AI-driven systems, only widens the attack surface.”
Sood said that M&S’s prolonged downtime suggests potential weaknesses in incident response readiness and system recovery orchestration. "M&S should have had segmented environments and backup systems in place,” he said.
According to Reuters, the attack on the 141-year-old M&S, has likely already cost it over 60 million pounds ($80 million) in lost profit, according to analysts. It has also wiped over 1 billion pounds from M&S' stock market value, the outlet noted.
Besides the multi-million pound lawsuit it now faces over the customer data theft, according to British news outlet The Grocer, “the UK’s Information Commissioner's Office has the power to impose a fine of up to 4% of a company's annual turnover... in this case could mean anything up to £552m."
Scattered Spider claims both breaches
Scattered Spider, which claimed responsibility for both the M&S and Co-op attacks, had told the BBC it tried to infect Co-op systems with ransomware but failed when the attack was discovered in real time.
Scattered Spider is known for using highly effective and sophisticated phishing techniques to gain initial access to a targets’ systems, including SMS phishing, SIM swapping, and MFA fatigue attacks.
In fact, impersonating an IT help desk worker was its method of choice used by the Russian-linked group to carry out the devastating 2023 attacks on the MGM Resorts International and Caesars Entertainment in Las Vegas.
Bud suggests that companies should be using biometrics, like face verification, for secure authentication. “Employees’ faces can’t be conned away from them, or stolen, or shared. So if a fake helpdesk contacts the employee, and the employee verifies using their face, the hacker just gets some selfies,” he said.
These kinds of threats from hackers are now having vividly visible consequences and will only increase, so it is crucial to deploy new, easy-to-use and robust methods of biometric authentication to defend enterprises, employees and customers, Bud said.
Your email address will not be published. Required fields are markedmarked