Britain’s National Crime Agency is hailing a breakthrough after four people were arrested today by police investigating a spate of cyber-attacks that wreaked havoc on British retailers, targeting M&S, the Co-op and Harrods.
A 20-year-old woman was arrested in Staffordshire while three males – aged between 17 and 19 – were detained in London and the West Midlands. One of the suspects is from Latvia and the rest are British.
All four were arrested at their homes on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.
M&S, the Co-op and Harrods were all hit with cyber attacks back in April. They were targeted with ransomware – malicious software which locks an owner out of their computer or network and scrambles their data. The criminals then demand a substantial payment, typically in cryptocurrency, to restore access to affected computers. These retail hacks have been linked to a group named Scattered Spider, whose constituents appear to be native English speakers. It’s thought they carried out the attacks by deploying a piece of malicious software from another group, called DragonForce. Using another gang’s ransomware is a common practice, known as a ransomware-as-a-service model, where the two entities involved share any proceeds.
While the hack meant both the Co-op and Harrods were forced to shut down their systems, the damage inflicted on M&S appears to have been the most substantial. The attack has cost it an estimated £300 million this year – the equivalent of a 30 per cent hit to profits. More than a month after the incident, M&S was still unable to deliver orders to Northern Ireland while the online store was down for seven weeks. This week, the department store’s chair Archie Norman told MPs that the business was still in “rebuild mode”.
Personal customer data was also stolen in the attack, including mobile numbers, home addresses and dates of birth. When hackers steal customer data, research suggests that this information is often reused by criminals for identity theft and phishing. And there are even studies emerging to indicate that victims of data breaches can find themselves more likely to have mortgage applications denied.
M&S has repeatedly refused to reveal whether or not it paid a ransom, which would likely have been in the millions. This week, Norman told MPs on the Business Select Committee that the firm would not “discuss the nature of the interaction with the threat actor”.
While the National Cyber Security Centre generally urges organisations not to pay ransoms if they are targeted, some ignore this advice and cough up. Which is understandable given the level of chaos wreaked upon those who refuse to be blackmailed.
In October 2023, the British Library was crippled by a major cyber-attack that shut down many of its services for months on end after it refused to pay a £600,000 ransom to Rhysida, a notorious Russian-affiliated hacker gang. The FT estimates that the attack cost the British Library up to £7m.
What can we learn from these attacks?
Notably, while the M&S describes itself as the victim of “sophisticated impersonation”, the initial hacking process sounds like a fairly simple technique.
The Scattered Spider group’s primary tactic is voice-based phishing. From what we know so far, it seems that the hackers called up an overseas, outsourced IT help desk and impersonated an M&S employee to get the desk’s support with resetting a single sign-on password. And, just like that, they were in.
While Norman has pushed back on suggestions that M&S left the back door open, he has conceded that, with the benefit of hindsight, the company would have brought forward its planned technology investment to strengthen its cyber-security systems.
While in the case of M&S the main vulnerability was in fact human, “the lesson to be learnt here is that sometimes just one vulnerability can can shake the whole system to its core,” says Aybars Tuncdogan, Reader in Digital Innovation and Information at Security, King’s College London. That’s why, he adds, companies “need to think of cybersecurity not just as a tedious and inconvenient IT issue, but as a core function of the business”.
Though the scale and sophistication of attacks vary, 74% of large businesses say they were targeted with cyber attacks last year, according to a cyber security breaches survey conducted by the UK government.
Reflecting on the M&S saga and the degree to which online shopping has transformed retail, it is thus unsurprising that Sir Charlie Mayfield, former chairman of John Lewis, says other retailers understand only too well how vulnerable they are.
Caitlin Allen
Deputy Editor
Gerald Warner
Jupiter’s tawdry state visit: the elites are dancing on a volcano
READ HERE
Anthony Peters
For investors, rational decision-taking has become all but impossible
READ HERE
UK-France boat deal – Keir Starmer and Emmanuel Macron have unveiled a “one in, one out” migrant deal to curb Channel crossings. According to Starmer, migrants arriving on small boats will be returned to France in exchange for asylum seekers who have not tried to enter the UK illegally. Speaking during his visit to London, the French President said that he was “totally committed” to the pilot scheme which will begin within weeks.
IDF kills Palestinians queueing for nutritional supplements – An Israeli strike near a medical point in central Gaza has killed at least 15 Palestinians, including eight children and two women, as they queued for nutritional supplements in the town of Deir al-Balah, according to the Al-Aqsa Martyrs hospital. The IDF said in a statement that it was targeting a member of Hamas and “regrets any harm to uninvolved individuals”.
Former Tory chair defects to Reform – Ex-Tory chairman Sir Jake Berry has defected to Reform UK, becoming the second former Conservative cabinet minister to join Nigel Farage’s party this week and the fourth former Tory MP in the last two weeks. Explaining the move, Berry wrote: “Old Westminster politics has failed. But there’s a better way”, adding that “change comes with challenging the old order.”
Ukrainian spy shot dead – Colonel Ivan Voronych of the Security Service of Ukraine was executed in broad daylight as he left his home in Kyiv, as Russia and Ukraine target respective intelligence officials for assassination. Details on the incident are limited thus far.
Ruling made over flight MH17 – A landmark ruling by the European Court of Human Rights Wednesday found that Russia shot down the MH17 flight in 2014 with 298 people on board, 10 of whom were from the UK. The plane was shot down by a Russian-made missile fired from eastern Ukraine controlled by separatists loyal to Moscow.
-
How Russia could exploit a vacuum in Europe. The dangers of a rapid drawdown in American forces in Foreign Affairs.
-
Matthew Hefler in Engelsberg Ideas: an attack on US intelligence.
-
Plans to relocate Gazans to a ‘humanitarian city’ look like a crime against humanity, writes international law expert, James Sweeney, in The Conversation.
-
Israel and Syria should prioritise security cooperation, argues Ahmad Sharawi in Foreign Policy.
-
Over 4.6 billion years on, the sun is having a moment. Bill McKibben in The New Yorker: Solar power has begun to truly transform the world’s energy system.