Beyond the Breach: What the M&S, Co-op, and Dior Cyberattacks Reveal About Modern Business Risk
In recent weeks, you've likely seen, read and maybe even experienced how major brands like Harrods, Marks & Spencer (M&S), Co-op, and Christian Dior have fallen victim to significant cyberattacks. From empty shelves to disruption and worry, these incidents underscore a critical reality: no organisation, regardless of size or industry, is immune to cyber threats.
It's not even brick-and-mortar stores who are being hit, Coinbase, an American cryptocurrency exchange has also been hit by an attack which could cost them up to $400m.
Understandably, such a volume of attacks breeds uncertainty, fear and worry amongst all of us. And honestly? It should make you sit up and take note. It's a concern.
Over the last week, we've spoken to many of our clients who have shared similar concerns about recent headlines, so we're going to delve into the details of these breaches, the methods employed by attackers, and the lessons that businesses must heed to bolster their cybersecurity posture.
The M&S Cyberattack: A Deep Dive
Over the Easter weekend, it was revealed that M&S experienced a significant cyberattack that disrupted its online operations and compromised customer data.
Hackers gained access through a compromised third-party system, highlighting the risks inherent in supply chain dependencies (we'll dive into how they did it step-by-step shortly).
The breach led to the exposure of personal information, including names, addresses, and order histories, though payment details remained secure. As it's still ongoing, more may be revealed about the impact. However, the financial ramifications have already been substantial enough to cause headaches. Some estimates suggest losses of up to £200 million, and the company's market value dropped by over £1.1 billion in the wake of the attack. We expect more fallout to come out in the wash over the coming weeks.
How the M&S Cyberattack Happened: A Step-by-Step Breakdown
As we said, it's still an evolving situation, so this is based on what we've read and how we understand the attack to have reportedly happened:
1. Reconnaissance: Scouting for Weak Spots
In any attack, the first step is to look for the digital equivalent of an open window. In this case, attackers began by researching M&S and its suppliers, looking for the chink in their armour and identifying a third-party service provider - connected to M&S systems - with weaker security controls.
2. Social Engineering: Tricking Humans, Not Computers
Instead of brute-forcing their way in, the attackers were much more calculated. They used social engineering - manipulating human behaviour. They reportedly called the IT service desk, pretending to be legitimate M&S employees. With enough personal detail (possibly found on LinkedIn or past data leaks), they convinced helpdesk staff to reset credentials and grant access.
3. Initial Access: Getting a Foot in the Door
We believe this took place sometime in February to give you an idea of how long and slow-burning these things are. Now, armed with real employee credentials, the attackers logged into internal systems as "trusted users," making it much harder to detect the breach in real time.
4. Lateral Movement: Snooping Around
Once in, attackers tend not to do much at first. They quietly moved between systems, probing for valuable data - like customer information, transaction history, and internal operations data. With the average breach taking 194 days to be discovered, they avoid triggering alarms by mimicking normal user behaviour, in this case, over months.
5. Data Exfiltration: The Getaway
Having located sensitive information, they copied and extracted it from M&S's systems - typically in encrypted batches to avoid detection.
6. Fallout: Discovery & Disclosure
Eventually, over the Easter weekend, the DragonForce ransomware was deployed across M&S systems, alerting them to the breach and causing havoc. Online orders were suspended, stores were disrupted, and food counters were shut. Public disclosure followed, alongside immediate efforts to contain the damage, notify affected customers, and begin recovery.
This wasn't a case of cutting-edge hacking. It was deception and human behaviour mixed with common vulnerabilities - and it worked. That's what makes this attack especially concerning for other businesses: the tactics used are simple, scalable, and repeatable.
Co-op's Close Call: Mitigating a Potential Catastrophe
Shortly after the M&S incident, Co-op faced its own cyber threat - albeit on a somewhat smaller scale.
By deploying ransomware, hackers managed to access data on a significant number of members, exposing names and contact details and causing chaos in stores across the country. Shelves in a lot of branches quickly emptied - and stayed bare.
However, it could've been much worse.
Swift action by Co-op's IT team prevented a complete system lockdown, allowing the company to restore operations more quickly than M&S. Empty shelves for a considerable amount of time is money lost for the Co-op - and creates new worries for people who rely on them for their shop, too. Has a cyberattack ever gone as granular as impacting your food shop before? It's a first for me, if nothing else.
A slow return in stock levels has only started to occur over the weekend just gone, but hopefully they're back to normal soon. One thing this incident emphasises, though, is the importance of rapid response and robust incident management protocols.
Christian Dior: Luxury Doesn't Equate to Security
Christian Dior disclosed a cyberattack that compromised customer data too, including contact information and purchase histories - although they claim no financial data has been lost.
While payment information remained unaffected, making it a softer blow than it could've been, the breach serves as a stark reminder that high-end brands are not exempt from cyber threats. It's also still ongoing, so we'll keep an eye on what's happened. One thing is for certain: the incident also highlights the global reach of cybercriminals and the need for international vigilance.
Common Threads: What These Attacks Reveal
Several similarities emerge across these incidents that we’ve noticed:
External Vulnerabilities
Attackers exploited weaknesses in third-party systems, underscoring the need for comprehensive vendor risk assessments.
Social Engineering Tactics
In the case of M&S, especially, hackers used social engineering to manipulate IT help desks into resetting passwords and granting unauthorised access.
Data as a Target
Personal customer data was a primary target. Why? Cyber criminals can use it for identity theft and phishing campaigns.
Real-World Damage
Beyond immediate financial losses, these breaches have long-term implications for things such as brand trust and customer loyalty.
Lessons for UK Businesses
But what can you learn from all of this? What’s the takeaway we want you to have?
If nothing else, you should be mindful that you’re not safe, and risks are higher than ever for everyone, from high-fashion to the high street.
Cyberattacks are no longer a matter of ‘if’ you get targeted; it’s a matter of ‘when’ you get targeted. If these huge names can and are getting hit, you’re not safe. You can’t control that.
But you can control your plan, defences and ability to cope with being in the spotlight. We promise, it’s not all doom and gloom - and by following these lessons, you put yourself in the best possible position to deal with it:
Implement Zero-Trust Architectures: Assume that threats can come from both outside and inside the organisation and verify all access requests.
Enhance Employee Training: Regularly educate staff on recognising and responding to phishing attempts and social engineering tactics.
Conduct Regular Security Audits: Assess both internal systems and third-party vendors for vulnerabilities.
Develop and Test Incident Response Plans: Ensure that your organisation can respond swiftly and effectively to contain breaches and mitigate damage.
The Last Word
These recent cyberattacks serve as a wake-up call for businesses across the UK. Cybersecurity is no longer a concern solely for IT departments; it's a critical component of overall business strategy. By learning from these incidents and proactively strengthening defences, organisations can better protect themselves and their customers in an increasingly digital world.