3 Minutes
M&S Sheds Light on Root Cause of High-Profile Cyberattack
Marks & Spencer (M&S), a leader in UK retail, has offered new insights into the significant cyberattack that recently disrupted its operations. While the company remains silent on the sensitive detail of whether a ransom was paid, new information has surfaced regarding how threat actors gained access to M&S's systems.
DragonForce: The Ransomware Group Behind the Cyber Breach
Investigations suggest that an organized ransomware gang known as DragonForce, believed to operate out of Asia or Russia, was behind the attack. It's important to note that DragonForce is unaffiliated with the similarly named Malaysian hacktivist group. This sophisticated group specializes in ransomware attacks and double extortion tactics—techniques that are increasingly prevalent in today's cyber threat landscape.
Social Engineering: The Entry Point for the Attack
The breach is reported to have originated from a targeted social engineering campaign. Cybercriminals impersonated an M&S employee and deceived a third-party support provider into resetting an employee's password. This allowed the attackers unauthorized access to critical internal systems. Key sources, including the Financial Times, linked Tata Consultancy Services, which handles part of M&S’s help desk support, as a potential vector in the breach.
Double Extortion and Data Compromise: What Was Affected?
Once inside, the attackers threatened to disclose confidential data and encrypted it to prevent access—an approach called double extortion. M&S confirmed the compromised information included customer names, birth dates, contact details, household data, and order histories. The total data extracted reportedly reached 150GB before systems were taken offline to stem the attack, causing delivery delays throughout the retail chain.
Ongoing Recovery and Industry Impact
Efforts to restore full functionality continue, with expectations that full operational recovery could take until late 2025. Notably, DragonForce has not yet published the stolen M&S data online, raising questions about whether a ransom was paid or if negotiations persist.
Calls for Greater Cybersecurity Transparency
M&S chairman Archie Norman has emphasized the importance of transparency in reporting cyberattacks, revealing that at least two major UK companies have potentially left recent attacks unreported. This incident underscores the urgent need for robust cybersecurity strategies—particularly for enterprises dependent on third-party providers.
Market Relevance and Best Practices
The M&S incident highlights the dangers of social engineering and the vulnerabilities introduced by complex supply chains. Retailers and large organizations are reminded to prioritize advanced cybersecurity solutions, comprehensive employee training, and clear incident reporting processes to protect sensitive data and ensure resilience against similar attacks in an evolving threat landscape.
Source: techradar
Comments