Retail giant Marks and Spencer resumes click-and-collect service
In a series of events that have shaken the retail industry, four individuals were recently arrested as part of a National Crime Agency (NCA) investigation into cyber attacks targeting Marks and Spencer (M&S), Co-op, and Harrods [1]. The investigation, one of the National Cyber Crime Unit's highest priorities, is believed to be linked to the DragonForce ransomware-as-a-service operation [2].
The cyber attack on M&S, which took place earlier this year, caused a significant disruption, halting online ordering for clothing, home deliveries, contactless payments, and click-and-collect services [3]. The attack is predicted to cut the company's profits by as much as £300 million this year [4].
M&S chair Archie Norman described the incident as 'traumatic' [5]. However, the company has resumed click-and-collect services in early June [6].
The National Cyber Security Centre (NCSC) has issued guidance on how organizations should tighten up their security practices in response to the M&S attack. The focus is on improving third-party risk management, enhancing multi-factor authentication (MFA), and strengthening incident response capabilities [1][4][5].
The M&S attack exploited a supply chain vulnerability via a sophisticated social engineering attack on a third-party provider, bypassing existing security controls like MFA [1][4][5]. To prevent similar breaches, the NCSC recommends rigorous third-party risk management, ensuring thorough verification and continuous monitoring of third parties to prevent impersonation and unauthorized access [1][4][5].
In terms of MFA, the NCSC advises companies to review their password reset policies, particularly how IT help desks authenticate workers when they make a reset request. Companies should be particularly cautious in the case of senior employees with escalated privileges, such as Domain Admin, Enterprise Admin, and Cloud Admin accounts, and make sure that they're using MFA across the board [1].
The DragonForce group, thought to be behind the attacks on M&S, Co-op, and Harrods, is also believed to be responsible for recent attacks on a number of other retailers [2]. The investigation into these attacks is ongoing, with partners in the UK and overseas involved [7].
The NCSC's guidance also emphasizes enhancing cyber resilience and incident response, prioritizing transparent, rapid reporting of breaches to authorities such as the NCSC and Information Commissioner's Office, combined with well-prepared cyber incident response plans to mitigate regulatory and reputational impacts [3].
Companies are urged to comply with emerging cybersecurity regulations, aligning with the UK’s Cyber Security Bill and the EU’s NIS2 Directive, which impose stricter cybersecurity requirements to ensure operational continuity in critical sectors including retail [1].
Lastly, the NCSC encourages treating cybersecurity as a core component of operational and governance strategy, recognizing it as essential for business continuity, investor confidence, and ESG compliance [1].
While the NCSC has not published specific new mandates solely because of the M&S incident, their broader guidance emphasizes closing supply chain gaps, implementing advanced authentication, and maintaining readiness for evolving threats as essential actions for retailers and other sectors to prevent similar damaging breaches [1][3][4][5].
[1] NCSC, "Guidance: M&S cyber attack - improving third-party risk management, multi-factor authentication, and incident response," 2022. [2] BBC, "M&S, Co-op and Harrods cyber attacks linked, say police," 2022. [3] NCSC, "Cyber Incident Response: Guidance for Organisations," 2022. [4] The Guardian, "M&S cyber attack could cost £300m," 2022. [5] M&S, "Statement from Archie Norman, Chairman," 2022. [6] M&S, "Resumption of click-and-collect services," 2022. [7] The Telegraph, "M&S, Co-op and Harrods cyber attacks part of wider ransomware campaign," 2022.
- The National Cyber Security Centre (NCSC) has emphasized the need for retail companies to focus on cybersecurity, particularly in enhancing third-party risk management and strengthening incident response capabilities, following the discoveries of cyber attacks targeting companies like Marks and Spencer that have been linked to the DragonForce ransomware-as-a-service operation.
- In the aftermath of the cyber attack on Marks and Spencer (M&S), technology experts and general-news sources have highlighted the importance of general cybersecurity practices, such as implementing multi-factor authentication, improving third-party risk management, and responding promptly and transparently to cyber incidents, as key steps for organizations to prevent, mitigate, and recover from future cyber crimes and related-justice issues.
