As Scattered Spider – a hacking gang of ‘mostly teenagers’ – is linked to the M&S cyberattack, what’s at stake, and what options does it have?
While the country was enjoying the long Easter weekend, catastrophe was unfolding for one of its best-loved retailers, as hackers embedded in its IT systems began to take control.
As M&S struggled to contain the crisis, the impact has spread: from contactless payments and click & collect orders, it has been forced to halt online orders (of clothing, beauty and home products), lock out remote workers and tell agency depot workers to stay home. Stock deliveries to both Ocado and its own stores have been hit (resulting, M&S admitted on Wednesday, in “pockets of limited availability in some stores”) as have donations of surplus food to charities. It also rendered its careers page unable to search vacancies, despite hundreds being available.
Staff have been sharing war stories online of having to check freezers frequently because defrost alarms are not working. The Sparks loyalty app – which has more than 18 million members – has been unable to process rewards. M&S’s scan & shop service has been suspended, and some stores have even been rendered cash only.
“It’s easier to list the things that work than the things that don’t,” one staff member posted online.
“It’s getting worse every day with no end in sight,” said another.
Depot computer systems had “gone down too”, impacting the volume of deliveries to stores, said a third.
Also scrambling to assess the damage is the City. Between 22 April, when M&S revealed the attack, and 3pm on 1 May, it knocked 7.2% off its share price, despite some recovery early this week. But the crisis is far from over.
So – with the Co-op and Harrods also targeted by hackers this week – how is M&S handling the crisis? And what are the repercussions?
The attackers
Among the many shocking revelations this week was the linking of the attack to a hacker collective known as Scattered Spider. First reported by technology news site BleepingComputer, it suggests M&S has fallen victim to a gang of English-speaking hackers who typically demand a ransom to unfreeze company systems.
“Scattered Spider are mostly residing in the UK, with some in the US,” says Arda Büyükkaya, senior threat intelligence analyst at cybersecurity firm EclecticIQ. “English is their mother tongue and they are mostly teenagers.”
Active since about 2022, “Scattered Spider is not organised like ransomware groups we associate with Russian-speaking cybercrime”, says Robert McArdle, director at Trend Micro. “They are a much looser connected network of individuals who resemble the structure of hacktivist groups like Anonymous.
“Scattered Spider has also routinely targeted retailers. Targeting M&S would be ‘on-brand’.”
Other cyberattacks
Harrods: Emerged as the latest retailer to be targeted by cyber attackers on Thursday, as it “restricted internet access at our sites” in response.
Co-op: That came after the Co-op this week withdrew staff access to several systems, having “recently experienced attempts to gain unauthorised access”, according to an internal memo.
Morrisons: In November last year, a cyberattack on technology provider Blue Yonder disrupted the supermarket’s supply chain management systems. It led to availability issues, particularly of fresh produce, which CEO Rami Baitiéh said hit Christmas sales.
KP snacks: In 2022 the food manufacturer was hit by a ransomware attack that left it unable to process orders and dispatch stock, with a “significant impact” on sales, it said.
JBS: The world’s largest meat processing company paid £7.8m in ransom to put an end to a major cyberattack that crippled its operations in 2021.
Shaun Cooney, who previously established the UK’s National Cyber Security Centre, is not surprised to see retailers targeted in this way.
“Cybercriminals follow the money and the path of least resistance. Right now, it’s very clear that the UK retail sector offers both. With high volumes of transactions, valuable customer data, and increasingly digital operations, super market chains have become prime targets for bad actors.
“Vulnerabilities are rife, from legacy systems and under-secured loyalty apps to complex third-party supply chains. Attackers aren’t just opportunists, they’re strategists. And right now, retail appears to be their sweet spot.”
Read more:
-
M&S cyberattack has impacted availability on shelves, retailer admits
-
M&S cyberattack linked to group of hackers as young as 16
As to how they operate, the gang registers multiple domain names similar to those of its targets, to be used in its phishing efforts. Members also use publicly available online tools including search engines of IP addresses – a unique identifier of an individual device – to find devices linked to a retailer that are connected to the internet via a vulnerable application, says Büyükkaya.
The group would have infiltrated M&S’s systems some time before Easter, he adds. BleepingComputer has suggested they were in by February.
Camellia Chan, CEO of AI cybersecurity firm X-PHY, says: “Groups like Scattered Spider aren’t just locking companies out of their systems – they’re embedding themselves deep inside critical infrastructure, moving quietly, and striking at the worst possible moment.”
The damage
M&S faces a dilemma. On the one hand, Scattered Spider is “going to demand extortion money” to unlock its systems, says Büyükkaya. On the other, the retailer will be watching the costs rack up in lost sales and reputational damage.
M&S grew grocery sales by 14.4% year on year in the 12 weeks to 20 April, according to Kantar – faster than any other UK supermarket. This stellar growth could be at stake.
“For every sale lost due to poor availability, you are likely to lose further future sales as consumer loyalty is eroded,” says Jonathon Monger, joint MD of Amplify Retail Execution. “It is clear retaining consumer loyalty will be a very real concern.”
M&S is all too well aware. On the day it revealed the attack, CEO Stuart Machin put out a personal statement: “I know how much our customers trust M&S and that trust is incredibly precious to us,” he wrote.
And M&S’s “proactive communications have helped mitigate some of the reputational damage so far,” says Hayley Goff, crisis communications expert and CEO of Whiteoaks International. “But it will need to make sure customers have no reason to change their minds.
“If more severe issues emerge, like compromised card details, it could damage M&S’s credibility and pose questions around why the true extent wasn’t communicated earlier.”
Worryingly Büyükkaya believes M&S customer data is “very likely” at risk. “We are seeing that Scattered Spider members prioritise data extortion in order to get more money from their victims,” he says.
Card details would usually be encrypted, and potentially harder for hackers to access, “but sometimes names and email addresses, phone numbers are not encrypted” and can be shared by hackers for identity theft purposes.
Such data breaches also come with a price tag. Members of Scattered Spider were linked to a cyberattack that brought down the systems of $14bn gaming giant MGM Resorts International in 2023. Earlier this year, MGM agreed to pay $45m to resolve a class action lawsuit over data breaches in 2019 and 2023, including attackers accessing customer data.
Read more:
-
M&S staff ‘checking chillers frequently’ over fears defrost alarms impacted in cyberattack
-
M&S resorts to pen and paper to honour Sparks loyalty rewards in crippling cyberattack
-
What can M&S’s ‘cyber incident’ teach retailers about trust?
Will M&S pay the ransom?
M&S is working with cybersecurity experts from CrowdStrike, GCHQ’s National Cyber Security Centre, the Met Police and the National Crime Agency. But it may still need to pay up. A quarter (25%) of ransomware victims paid out in Q4 of 2024, according to specialist ransomware response firm Coveware. That’s down from 85% in 2019, suggesting “more organisations are improving cybersecurity defences” and “implementing better backup and recovery strategies”, a recent Coveware report says.
But even opting to pay comes with “no guarantee of long-term security”, says Büyükkaya.
“While attackers may provide a decryption tool [to unlock systems] or promise not to leak data, they can still retain or sell stolen data, re-attack the same organisation, or share access with partner groups.
“It’s not uncommon for these groups to publicly release the stolen data later or sell it on the dark web, effectively revictimising the same target or expanding the damage.”
Taking back control without paying relies on “internal cybersecurity teams and external experts isolating the attackers, removing their access, and restoring services from clean backups” adds Büyükkaya.
So it’s too early to talk about the damage. And the same is true of the lessons. But “lesson one”, says Büyükkaya, is “to be more protective of the domain controller”. Scattered Spider is reported to have first gained access by stealing a crucial ‘NTDS.dit’ Windows file. This domain controller is the “crown jewel of the system”, enabling hackers to bypass multiple verification requirements on multiple devices, says Büyükkaya.
However, Scattered Spider “stands out in the techniques it uses”, says McArdle. “It leverages helpdesk and phone-based social engineering, where malicious attackers pose as staff to trick an IT department into password resets.”
Büyükkaya says: “They call people. They hire real people to read scripts. User education is very important.”
It’s a lesson M&S is learning the hard way, in a major blow to its successful turnaround story. But as it firefights, it’s important not to lose perspective, says Shore Capital broker Clive Black. “The market is discounting [that M&S] is on a good overall trajectory. The grocery business is flying, and clothing is gaining market share. That’s the underlying reality, and once it’s out of the clipboards and manual running of the business it’s pretty much back on song.
“They’ll be disappointed and worried, but it won’t last forever and what doesn’t kill you makes you stronger.”
No comments yet