Retail Under Fire: How to Avoid a £440m Problem

Retailers faced with an increasingly unpredictable adversary must manage risk in a more dynamic way, insists ISMS.online’s Sam Peters

The youngsters responsible for a string of recent UK retail breaches (M&S, Co-op and Harrods) are, at the time of writing, in police custody. But there are many more where they came from. They represent a new breed of cyber criminal: fast, bold, and unpredictable. Meeting this fresh challenge while managing the persistent risk from more traditional threat actors will require a new approach to security and compliance – one that is more proactive, dynamic and adaptive.

Retail under fire

The attacks came without warning, hitting Marks & Spencer, Co-op and Harrods within days of each other in mid-to-late April. M&S was the worst hit, after attackers reportedly managed to encrypt some of its VMware ESXi hosts with the DragonForce ransomware variant. Striking before the Easter bank holiday weekend, the attack and resulting IT outages forced the firm to suspend contactless payments, Click & Collect and online orders. Stock levels on the shelves ran low as logistics hubs were disrupted, and an unspecified number of individuals had their personal information stolen.

The Co-op appeared to be more resilient. Its network monitoring tools and incident response protocols kicked in early to detect and contain the threat. After spotting suspicious network activity, the firm shut down the system before any further damage could be done. However, this was not before significant volumes of information were stolen, and stock levels in some stores were impacted for over two weeks due to disruptions to inventory management systems.

Harrods fared even better. Although it confirmed unauthorised access to its systems on May 1, the high-end department store’s physical and online operations remained virtually unaffected. It doesn’t appear as if any significant data compromise occurred.

A £440 million problem

These are the retail attacks we are aware of. At a recent parliamentary committee hearing, M&S chairman Archie Norman told lawmakers that at least two “large British companies” had suffered breaches which ultimately never made it into the public domain. It’s unclear whether they bought the silence of their extorters with a sizeable ransom payment.

“Attackers reportedly managed to encrypt some of M&S’ VMware ESXi hosts with the DragonForce ransomware variant”

However, what is clear is the scale of the potential financial and reputational damage that such breaches can cause. The Cyber Monitoring Centre (CMC) officially labelled the M&S and Co-op incidents a ‘Category 2 systemic event’ with a total financial impact estimated at £270-440m. This includes direct business interruption costs, such as lost sales, incident response and IT restoration, as well as legal and notification expenses. M&S has informed shareholders that it expects total losses of around £300m, which will be partly recouped through insurance.

It is harder to gauge the impact on customer trust and loyalty from empty shelves and malfunctioning e-commerce operations. M&S’s online store was shuttered for around seven weeks, while the firm saw £700m wiped off its stock market value in the days following the incident.

Time to change

Most reports suggest the perpetrators were affiliated with the Scattered Spider collective. This is not a cohesive APT group in the traditional sense but rather a loosely organised network of like-minded threat actors. They’re often young, native English-speaking, and fiendishly good at social engineering. That marries with reports that the M&S attackers managed to obtain log-ins from a third-party contractor at Tata Consulting. They’re technically skilled but also audacious and fast-moving, escalating attacks quickly from initial access to find, encrypt and steal data. That’s a nightmare for incident responders.

“The Cyber Monitoring Centre (CMC) officially labelled the M&S and Co-op incidents a ‘Category 2 systemic event’ with a total financial impact estimated at £270-440m”

It also highlights the challenges facing today’s network defenders. They may have designed a security strategy around one type of threat actor– the traditional Russian cybercrime professional. But now they find themselves facing an altogether different adversary.

The answer is to fight fire with fire, by evolving a defensive strategy to become more adaptable. Best practice cyber hygiene should be a given today. This includes data encryption, vulnerability and patch management, multi-factor authentication, asset management, security awareness training, and more. But the threat landscape is constantly evolving. And approaches to risk management must follow suit.

Dynamic and proactive

Retail security teams require tools like AI-powered network monitoring to continuously monitor traffic for signs of intrusion. These can help them spot the needle in the haystack that could mean a ransomware breach, and take rapid action to reduce the blast radius of an attack. AI technology is also empowering organisations to conduct continuous risk assessments, which can detect security gaps such as misconfigurations and unpatched vulnerabilities. These can be fixed to build resilience before an attack has even struck.

Pivoting to such an approach may not come easily. However, this is where best practice cybersecurity standards can be beneficial. The latest version of ISO 27001, for example, places a strong emphasis on continually improving the effectiveness of the corporate information security management system (ISMS). It emphasises adaptive risk management as a way to assess and mitigate cyber risks dynamically, taking into account rapidly changing threats and the evolving enterprise attack surface.

Point-in-time assessments and static, reactive compliance may have been effective a decade or even five years ago. But it’s no longer fit for purpose in a world where change is the only constant. Retailers must adapt to this new reality or risk becoming the next M&S.