Last week, popular British retail chain Marks & Spencer confirmed “pockets of limited availability” across some of its stores following a cyber attack.
The effect of the attack has been massive, including M&S having to suspend online orders and millions have been wiped from the company’s market value. Some distribution centre workers have been told to stay home and the full scale of the attack is still being investigated.
The cyber attack has involved ransomware, according to National Cyber Security Centre founding chief executive Ciaran Martin. The ransomware has essentially crippled M&S’s capability to operate normally.
As we reported in this week’s Cyber Security News the hacking group Scattered Spider are believed to be responsible for the attack.
How did this happen?
According to the publication BleepingComputer, the group are suspected of breaching M&S systems as early as February this year, allegedly stealing the Windows domain’s NTDS.dit file. This file is a sensitive database that contains user credentials. They are also believed to have used ransomware to encrypt parts of M&S’s infrastructure.
The group are known for employing sophisticated social engineering attacks on organisations, including phishing and multi-factor authentication (MFA) fatigue attacks. Therefore, it’s likely that a senior member of M&S’s IT team was compromised and access was gained.
What can be learned from this attack?
This attack just proves that ANY organisation, of any size in any sector can be a victim of a cyber attack.
UK Cabinet minister Pat McFadden has said this should be a “wake-up call” for UK organisations and that that cybersecurity is not a luxury but an absolute necessity.
The first thing any organisation should do is make sure that they have basic security principals in place and speak to a Cyber Security expert if they don’t have one in-house (like D2NA).
A good place to start is Cyber Essentials and this is recommended by the National Cyber Security Centre. This scheme ensures and organisation has all the fundamentals in place.
Multi-factor authentication (MFA) should also be enabled on EVERY account where possible across an organisation.
Staff training is also key here, and ensuring that staff are aware of the risks and stay vigilant. We launched D2Aware last year to help with ongoing training and awareness.
Operating your organisation with a zero-trust attitude is crucial. Nothing should be trusted by default.
In conclusion, if you are reading this and your organisation has not been sufficiently investing in your cyber security then just as Pat McFadden said, this should be a wake-up call…