Marks & Spencer resumes click-and-collect operations
The UK retail giant Marks & Spencer (M&S) experienced a significant cyber attack in April, which halted online ordering and contactless payments. The attack, believed to have been carried out by the DragonForce ransomware-as-a-service operation, also affected other retailers such as Co-op and Harrods.
Following the M&S hack, the National Cyber Security Centre (NCSC) issued guidance on how organisations should tighten up their security practices. The NCSC emphasizes the need for ransomware defense and general cyber resilience, and recommends several key actions.
Firstly, organisations should make regular, secure backups of important files. These backups should be kept offline/offsite, scanned for malware, and distributed across different storage types and locations to protect against ransomware loss.
Secondly, preventing malware delivery and lateral spread inside organisations is crucial. This can be achieved by filtering malicious files/emails, blocking malicious websites, disabling risky protocols like unprotected Remote Desktop Protocol (RDP), using Multi-Factor Authentication (MFA), patching known vulnerabilities, and limiting account privileges to reduce attack surfaces.
Thirdly, maintaining up-to-date user permissions, software versions, VPN configurations, and authentication mechanisms is essential to further prevent attacker movement internally.
The NCSC also encourages organisations to report ransomware incidents promptly, as mandated by UK regulations, to support law enforcement investigations and strengthen defenses collectively.
The M&S hack is believed to have taken place through a social engineering attack that involved impersonating workers and IT help desks. Therefore, companies should be particularly cautious in the case of senior employees with escalated privileges, such as Domain Admin, Enterprise Admin, and Cloud Admin accounts.
Companies should also review their password reset policies, particularly how IT help desks authenticate workers when they make a reset request. Ensuring the use of multi-factor authentication (MFA) across the board is also recommended.
The investigation into the M&S hack remains one of the National Cyber Crime Unit's highest priorities. Last month, four people were arrested as part of a National Crime Agency (NCA) investigation into the attacks targeting M&S, Co-op, and Harrods. Today's arrests are a significant step in the investigation.
M&S's 'cyber incident' is predicted to cut the company's profits by as much as £300 million this year. M&S chair Archie Norman described the incident as 'traumatic'. However, the company has resumed click-and-collect services, with online orders for delivery resuming early June.
This incident serves as a stark reminder of the importance of maintaining robust cybersecurity measures. Organisations must prioritize ransomware defense and general cyber resilience to protect against such attacks. By following the NCSC's guidance, retailers can take significant steps towards improving their cybersecurity posture and reducing the risk of similar incidents.
- The National Cyber Security Centre (NCSC) recommends that retailers, following the M&S cyber attack, make regular, secure backups of important files and prevent malware delivery and lateral spread inside their organizations to bolster their ransomware defense and overall cyber resilience.
- As the M&S incident serves as a reminder of the importance of maintaining robust cybersecurity measures, organizations must prioritize implementing measures like regular backups, malware prevention, multi-factor authentication, and strict password policies to protect against similar cyber attacks in the future.
