💰💣

Marks & Spencer Security Incident

April 22nd, 2025 153 days ago Resolved

Incident Overview

Situation Description

Marks & Spencer experienced a ransomware attack where hackers impersonated an employee and tricked a third-party service desk agent into resetting credentials, leading to a suspension of online orders.

Event Types

Ransomware Malware / Destructive Attack

Industry Sector

Retail

Geographic Scope

National (UK)

Response Actions

Revised Incident Response Plan Conducted Employee Training

Impact Analysis

Event Types (2 identified)

Ransomware Malware / Destructive Attack

Financial Impact

$0 USD

Records Affected

Data Types Compromised

Credentials PII (Personally Identifiable Information)

Primary Impacts

Operational Disruption Financial Loss Data Exposure

Key Decisions Made

Require strict identity verification for all password resets, including out-of-band confirmation.; Enforce MFA that cannot be easily reset or transferred without in-person verification or manager approval.; Train service desk staff to recognize social-engineering tactics, especially urgent or emotional requests and spoofed internal numbers.

Technical Analysis

Attack Method

Social Engineering

Threat Actor Attribution

Scattered Spider UNC3944 Octo Tempest Muddled Libra

Vulnerability / Tool

DragonForce

Additional Information

Table of Contents Free Active Directory Auditing Tool Try it now Home / Blog / News and Research / Scattered Spider service desk attacks: How to defend your organization Scattered Spider service desk attacks: How to defend your organization Table of Contents Marcus White May 07, 2025 (Last updated on July 11, 2025) Scattered Spider is a disparate hacking collective that has surged to prominence by using sophisticated social engineering tactics. One of their key tactics is exploiting people specifically, corporate service desks. They recently hit the headlines by allegedly carrying out a crippling ransomware hack on UK retailer Marks & Spencer (M&S ). M&S Chairman Archie Norman has since confirmed that hackers impersonated an M&S employee and tricked a third-party service desk agent into carrying out a password reset that gifted them access. The group have also been linked to the recent Co-op and Harrods attacks, which led to stolen member data and crippled payment systems. This has led to the UKs National Cybersecurity Centre (NCSC) warning organizations to be wary of phony IT helpdesk calls . Since this spate of attacks against UK retailers, four people have been arrested under suspicion of being involved in the hacks. Any organization with a service could theoretically be targeted by these low-tech, high-impact tactics.Well unpack how Scattered Spider and similar groups use social engineering to manipulate help desks into giving them access to corporate networks, as well some tips on what you can do to protect your business. Who are Scattered Spider? Its a good question Scattered Spider (also known as UNC3944 , Octo Tempest , and Muddled Libra ) is a difficult group to pin down. Scattered Spider is the name that was given to a group of cybercriminals that between mid-2022 and mid-2024 carried out cyberattacks that had a huge impact and coverage in the press. Theyve recently been linked to ransomware operations, acting mainly as affiliates for BlackCat (now...

... (truncated for display)

Quick Facts

Company:: Marks & Spencer
Date:: April 22nd, 2025
Status:: Resolved
Decision Maker:: nan
Position:: nan
Published:: 7/05/2025

Source Information

Original Query

impact of "Scattered Spider" tactics on corporate incident response and employee training

View Original Source

Timeline

Information Published

7/05/2025

Incident Occurred

April 22nd, 2025 (153 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats