Cyberattack Disrupts Operations at Marks & Spencer as Hacking Group Scattered Spider Claims Responsibility
The retail giant Marks & Spencer (M&S) has found itself at the center of a significant cyber incident linked to a hacking group known as Scattered Spider. This alarming development highlights the vulnerabilities that even large, established companies face in today’s digital landscape.
According to an investigative report by the technology news outlet BleepingComputer, the notorious Scattered Spider has executed a ransomware attack on M&S’s IT network. This type of cyber assault typically involves hackers demanding a steep ransom, with industry insiders estimating that the figure could reach as high as £10 million to regain access to vital systems. This attack has thereby raised serious concerns regarding the overall security of retail operations and customer data.
The report claims that Scattered Spider, consisting primarily of teenagers and young adults operating in the UK and the US, first infiltrated M&S’s computer systems back in February. Although the company has yet to provide any clear timeline for the resolution of the issues arising from this incident, operations at all 1,049 M&S retail locations in the UK are reportedly affected. In the wake of this revelation, M&S’s stock has plunged nearly 7% since news of the attack broke last week, reflecting investor worries about the potential long-term consequences of this data breach.
In response to the attack, Marks & Spencer has enlisted the help of several cybersecurity experts, including firms such as CrowdStrike, Microsoft, and Fenix24. These organizations are working diligently to investigate the breach, address the vulnerabilities, and mitigate the impact on payments and orders that have subsequently been disrupted.
The hackers allegedly made off with a crucial database file—specifically, M&S’s NTDS.dit file—which is vital for user accounts, passwords, and security authentication within Windows Active Directory. This database is stored on domain controllers; if compromised, malicious actors can leverage it to extract credentials and gain further access to the entire IT infrastructure.
Reports indicate that the attackers utilized a ransomware tool known as "DragonForce" to encrypt and lock M&S’s systems and data. Such encryption makes the data inaccessible until the ransom is paid, often requested in untraceable cryptocurrencies, which has become a common practice among cybercriminals.
Although it remains unclear whether M&S is currently being held ransom, sources suggest that any such demand could likely fall in the ballpark of £10 million. Industry analysts assert this figure aligns with what appears to be the standard rate for attacks on high-profile brands like M&S.
The decision to pay a ransom in response to a cyberattack presents a complicated dilemma for any organization. On one hand, agreeing to pay the ransom may allow companies to restore operations swiftly, protect customer data, and limit economic loss. For retail sectors, where system downtime can result in lost revenue and jeopardize consumer trust, the pressure to comply can be overwhelming.
On the other hand, paying a ransom poses significant long-term risks to companies. Such payments may incentivize further criminal activity and may also label the organization as a lucrative target for future attacks. Moreover, there is always the uncertainty regarding whether the attackers will fulfill their part of the bargain and provide a functioning decryption key.
Law enforcement agencies have consistently advised against paying ransoms, cautioning that doing so could embolden the growing ransomware economy and undermine broader efforts to enhance cybersecurity measures across industries.
Amidst the ongoing complications from the cyberattack, M&S has implemented additional measures for its operations. Reports indicate that approximately 200 agency workers at its principal distribution center have been instructed to remain at home, particularly as online orders have been put on hold. Agency staff constitute about 20% of the workforce at the Castle Donington warehouse situated in the East Midlands.
Last Friday, M&S also took the precautionary step of suspending online orders and has urged click-and-collect customers to wait for a notification confirming their order is ready before heading to stores. Furthermore, the retailer has restricted remote-working staff from accessing some internal IT programs during the ongoing crisis, although they can still perform some tasks from home.
In light of the attack, M&S has collaborated with data protection authorities and the National Cyber Security Centre to report the incident and implement protective measures for its network. This cyber incident arrives as a significant setback for M&S, which, under the leadership of CEO Stuart Machin, had been experiencing a turnaround with positive sales momentum and improved pre-tax profits over the past year.
As Marks & Spencer grapples with the implications of this cyberattack, the incident serves as a reminder of the pervasive risks businesses face in an increasingly interconnected world. M&S has so far refrained from making public comments regarding the specifics of the attack, but the repercussions of this incident are likely to affect not just the company, but also its customers and investors.