Shares in Marks & Spencer continue to slide. Since the UK retailer was subjected to a successful cyber attack last month, more than £750 million ($1 billion) has been wiped off its stock market value.
Slowly, its systems are returning but there are still some gaps on shelves and online orders remain halted. It could take weeks or months to get everything up and running again. Meanwhile, UK brands Co-op and Harrods have also been hit. Others are bracing themselves in the knowledge that these infiltrations tend to come in waves. No matter when this episode is finished, there will be more in the future.
Apart from seeing customers waxing lyrical in the media and on social media about a return to "good old-fashioned shopping", with some even heralding the outbreak as a saviour of beleaguered bricks and mortar stores, it has served to highlight the extraordinary vulnerability of supposedly safe IT. Except it is not of course. Nothing ever is. No security blanket has been invented for anything anywhere that cannot be penetrated somehow.
Usually, however strong the protection, it depends on human beings for its operation. And they are susceptible to committing errors, accepting bribes and falling prey to blagging. In the case of M&S, it appears the cyber criminals committed what is referred to in the jargon as a "social engineering" offence, which really means manipulating people into sharing passwords they shouldn’t.
Typically, this can be:
- phishing and spear phishin: sending fraudulent emails claiming to be from a reputable source or scouring the user’s social media to build up personal detail to make an email – from a gym, say – look all the more believable;
- vishing and smishing: same as the email but using voice or SMS;
- pretexting: setting up a scenario in which the data owner hands over information under false pretences;
- baiting: offering something enticing, such as a gift card, to lure users to exchange that all-important detail;
- tailgating and piggybacking: closely following an authorised user to gain unauthorised access or persuading them to allow access by holding the door open. as it were;
- quid pro quo: providing a trade or service for the code; for example, calling a company and pretending to be from the IT department trying to reach someone with a technical issue.
These are the most popular six. There are others. Merely listing them is exhausting and gives a flavour of the threat and degree of sophistication companies must counter. Now, multiply that number many times for the total of attempts made daily at piercing open, say, a major bank or consumer-facing seller. As a senior executive at a global investment bank executive said, they must defeat thousands every single day. It was like being circled constantly by hordes of insects looking for any weakness, any way in.
The IRA issued a statement after the Brighton bombing that almost killed prime minister Margaret Thatcher in 1984: "Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always."
That’s how it is for corporations conducting a never-ending battle. And it is ceaseless and relentless – instantly, as one barrier is erected another crack will be found. Probably, in order to function effectively, somewhere it will entail human fragility.
After the M&S break-in, thought to have been carried out by an affiliation of UK and US hackers calling themselves Scattered Spider, the National Cyber Security Centre issued new guidance to combat the technique used. It recommends that organisations "review help desk password reset processes" and pay particular attention to "admin" accounts, which generally have more access throughout a company’s network.
That will necessitate the introduction of further steel gates, but will it be enough? It could make a difference but it will not be sufficient. Where people ultimately hold the keys, nothing is.
What is alarming is how Scattered Spider and its ilk can put distance between themselves and the crime. They smash the window, dig the tunnel or bribe the guard – take your pick – but leave the actual disabling and extorting of a ransom to others. They pass those on and leave the scene. So, the folks that the company is forced to deal with are not those who broke in. That makes them all the harder to trace.
The problem is that companies do deal. They do not like to admit so but they have no choice. Scattered Spider came to attention in September 2023 when MGM Resorts and Caesars Entertainment casino groups in Las Vegas saw their accounts locked. Caesars reputedly handed over about $15 million to have them freed. Companies elsewhere have also paid up in order effectively to be allowed to resume their business.
One solution, as it is with kidnapping, is to deny the means, to not pay. But as with the holding of a person, that requires enormous courage and risk of death.
Another is to pour extra resourcing into policing, to investigating and pursuing. But that requires funding and expertise that many police forces do not have and crucially, it depends on the close, international co-operation between countries, of them coming together to agree to stamp out the villains and, critically, meaning it. We are far from achieving that.
Unfortunately, until we do, there will be further claims of installing foolproof fencing and more chief executives discovering that isn’t true and receiving that late-night call they now dread the most from the IT department.
