In recent months, UK retailers Marks & Spencer (M&S) and the Co-operative Group (Co-op) have faced devastating cyberattacks, revealing critical vulnerabilities and highlighting the urgent need for improved cybersecurity measures. These incidents underscore the importance of adopting advanced security solutions to safeguard sensitive data and maintain customer trust.
The attack’s scale and impact are huge. M&S had a £300M financial hit, with a 12% drop in annual profits and £1B reduction in share value.
Even weeks after the attack, the disruption is extensive and ongoing. M&S had to take some websites down, online sales will be unavailable for an estimated three months, and customer personal data has been stolen. The Co-op had a disruption of contactless sales and major stock issues in their stores, as well.
The impact doesn’t stop there. While the corporate impact is huge, end users are also directly impacted by the loss of their personal data and, in some cases, the inability to purchase food.
How it happened
While investigations are ongoing, this is what we know so far.
The Scattered Spider hack group is responsible for both attacks. This group includes US and British nationals who focus on British and North American targets.
Because they are native English speakers, this gives them an edge when performing social engineering. Learn more in this article by The Register: Ex-NSA bad-guy hunter listened to Scattered Spider's fake help-desk calls: 'Those guys are good.'
The group also has a history of successfully attacking other US identity, messaging, hospitality, gambling, and finance companies, including Twilio/Okta and MGM.
Multi-layered attacks were used, which included:
-
Security vulnerabilities
-
Social engineering of Help Desk teams and employee impersonation
-
Multiple phishing kits
-
Malware
-
SIM swap attacks
Three key learnings
-
The risk is real and has a demonstrably huge impact amounting to billions of dollars. No enterprise vertical is safe.
-
Securing internal access is just as important as securing external customer access to your systems.
-
A multi-layered approach is needed, including monitoring, authentication, and verification.
How Syniverse products protect against this kind of attack
-
SIM swap detection — This tool alerts retailers to potential SIM swap fraud, preventing unauthorized access to accounts by intercepting authentication codes.
-
Multi-factor authentication (MFA) — By requiring multiple forms of verification, MFA significantly reduces the risk of unauthorized access, ensuring that even if one credential is compromised, additional layers of security protect sensitive data.
-
Right Party Verification (RPV) — This ensures that interactions and transactions are conducted with the correct individuals, minimizing the risk of fraud and identity theft.
-
Passwordless authentication — By eliminating traditional passwords, this method reduces the risk of credential theft, employing more secure alternatives like biometrics or secure tokens.
Conclusion
The cyberattacks on M&S and Co-op serve as a stark reminder of the vulnerabilities all enterprises face. By adopting advanced security solutions like those described above, protection from potential threats is possible and fosters trust and confidence with customers. These measures protect not only financial interests, they also safeguard the personal data of millions, ensuring that retailers can continue to serve their communities with integrity and security.
Investing in robust cybersecurity measures is no longer optional — it's a necessity in today's digital landscape.
To discuss your requirements, contact a Syniverse expert.
Learn more about maximizing the ROI of identity and authentication solutions in our whitepaper, Cracking the Security Trilemma.
Other related posts
Why You Need Multi-Factor Authentication
Completing the Puzzle of Trusted Communications
What is Frictionless Authentication and Why You Should Use It
eSIMs and SIM Swap: Will eSIMs Make SIM Swap Fraud More Likely?
Why You Need an Omni-Channel Authentication Strategy
Why Passwordless Authentication is the Future
What Are Account Takeovers and How to Protect Against Them
Beware The Iceberg of Trusted Communications
