Iconic UK retailers are facing a spree of unprecedented cyber-attacks. Marks & Spencer (M&S), Harrods, and the grocery chain Co-op are dealing with separate, yet equally destructive breaches that have hampered operations, halted online shopping, and in some cases, prevented customers from redeeming vouchers or store credit.
Adding insult to injury, the cyber incidents have played out in the public arena – with intense media scrutiny and disgruntled customers taking to social media to air frustrations. As of writing, M&S have seen their share price slump as the loss of market capitalisation since the crisis started is in danger of hitting the £1 billion mark.
Digital Forensics Lead Consultant Tom Orton of Kordia says this is a serious breach that may take weeks to fully recover from. “We don’t have all the detail on the full impact of the attacks, but it appears to be a ransomware attack that has catapulted M&S back to the stone ages, using pen and paper to trade in some instances. I suspect a significant part of their digital systems are encrypted and will need to be rebuilt.”
With media reporting that 20 million records of customer data have also been stolen in the Co-op case, Orton says this is becoming the norm.
“First, attackers disrupt operations through malware and encryption of critical data assets, and secondly, they steal data and threaten to publish or leak this onto the dark web. This puts double the amount of pressure on the victim to pay an extortion demand – a tactic known as ‘double extortion’.”
Noting that the cyber criminals have also laid public claim to the attacks via the media, Orton says that this is just another type of leverage being used by malicious hackers. “Reputational damage is a big consideration, particularly for retailers who have built up a trusted customer base over decades. The threat of going public is another way cybercriminals establish leverage over the victim. That’s where crisis communications plans are essential – if you can front foot the issue with very clear messaging around the attack and what happened, it does take that power away from the attackers.”
A ransomware group that goes by the name "DragonForce" told the BBC it was responsible for the attack on M&S, the Co-Op and an attempted hack of Harrods and said there would be more attacks soon. However, Orton cautions that DragonForce often acts as an affiliate for other cyber-criminal gangs, providing malicious code and “Ransomware as a Service” kits that enable almost anyone to launch a damaging cyber-attack. Western groups, often composed of young people in their late teens to early 20s, have been using such tactics to great effect.
“We are seeing a blurring of lines between state-sponsored actors and local cyber-crime groups. Having English-speaking hackers armed with Russian malware is a deadly combination. It’s a lot easier for social engineering attacks to succeed when perpetrated by someone with native language and context.”
“These attackers are using targeted, vicious social engineering techniques. They start off using coercion – a very typical example would see them call the IT helpdesk and try to get password resets actioned by impersonating users. When that fails, they can resort to intimidation and threats of physical violence on end users – such as in the case of cybercriminal group ‘Scattered Spider’.”
Orton says retailers are prime candidates for cyber-attacks. “Retailers tend to work on razor-thin margins. So, it’s not surprising that a lot of traditional outfits have been lacking when it comes to investing into their security posture. Security teams have been underfunded, the tooling has been underfunded and now that is catching up with them.”
It is unclear whether M&S or other UK retailers will pay a ransom to their attackers.
“Theoretically, it is never ideal to pay a cyber-attack extortion demand. A lot of businesses and organisations are quite principled on that.”
“But in severe cases, there are different variables that you would have to analyse to ascertain a good direction. How compromised are you? Have the attackers taken data? What kind of data have they taken? Is your network infrastructure completely dead in the water? Are you able to trade?”
In some cases, Orton says boards may need to agree to pay to save their business from total demise. Boards should have a robust decision-making process in place to deal with those situations.
“This is where planning ahead can be a good idea. As part of a tabletop exercise, defining and discussing how the organisation would respond to an extortion demand, the parameters for decision making, what would you decide at the executive level and board level, and the extent of involvement of the board is a good place to start.”