In a year marked by unprecedented cyber assaults on the UK’s retail sector, we sit down with Rupert Marais, our in-house security specialist, to dissect the wave of attacks linked to the Scattered Spider hacking group. With expertise in cybersecurity strategies and network management, Rupert offers a unique perspective on the incidents that crippled giants like Marks & Spencer and the Co-op. We will explore the anatomy of these sophisticated supply chain attacks, the critical role of modern infrastructure in incident recovery, the subtle art of detecting attackers during their reconnaissance phase, and the strategic shift toward human-centric security that is now defining the industry’s response.
The M&S breach was linked to compromised credentials from a third-party vendor. Could you walk us through the typical steps of such a supply chain attack, from the initial social engineering of the vendor to the ultimate infiltration of the primary target company?
Absolutely. This is a classic, albeit highly effective, playbook for groups like Scattered Spider. It begins not with a brute-force attack on the main company, but with a much softer, more deceptive approach targeting a trusted partner—in this case, an IT outsourcing firm. The attackers use what was described as a “sophisticated” social engineering campaign. This isn’t just a generic phishing email; it’s likely targeted manipulation, perhaps of specific tech staff, to trick them into giving up their credentials. Once the attackers have a legitimate foothold inside the third party, they essentially have a trusted key to the front door of the main target. They can then pivot from the vendor’s network into the retailer’s systems. M&S’s chairman himself highlighted their massive attack surface, with 50,000 colleagues and numerous contractors. Each one is a potential entry point, and by compromising a vendor, the attackers exploited that distributed trust to bypass the primary defenses.
The Co-op’s cloud migration was credited for its quicker recovery compared to M&S, which faced a four-month rebuild of legacy systems. Beyond simply being “in the cloud,” what specific architectural or security-by-design features provide such resilience and speed up recovery after a ransomware attack?
This is the most critical lesson from the entire affair, and it really highlights the tangible value of modernization. The difference between the two retailers is stark. M&S, by their own admission, had to painstakingly rebuild their legacy systems over four grueling months. Imagine the immense effort and cost involved in that. The Co-op, on the other hand, was much further along in its cloud transformation. When you have a “secure by design” cloud architecture, you have capabilities that legacy systems just can’t match. This includes things like infrastructure-as-code, which allows you to redeploy entire clean environments from templates in minutes or hours, not months. It means better network segmentation to contain a breach and prevent it from spreading, and more robust, automated backup and snapshot features that are isolated from the production environment. For the Co-op, recovery wasn’t about rebuilding; it was about restoring. This distinction—restoration versus a four-month rebuild—is precisely why their shops were back to normal trading by June while M&S was still deep in crisis.
Scattered Spider reportedly conducted reconnaissance for weeks inside corporate networks before acting. What specific activities would they be engaged in during this “dwell time,” and what subtle signs or metrics could a security team monitor to potentially detect this pre-attack surveillance?
This reconnaissance phase is what makes these attacks so devastating. The techniques were described as “elegant and subtle” for a reason. Once inside, the attackers don’t immediately deploy ransomware. They operate like spies, moving silently to map the network architecture, identify the most critical assets, and locate sensitive data like payment information and intellectual property. They spend weeks, maybe even months, watching and scouring, escalating their privileges and establishing persistence so they can’t be easily kicked out. Detecting this is incredibly difficult. You’re not looking for a loud alarm bell; you’re hunting for whispers. A vigilant security team would be monitoring for faint signals like a user account accessing systems it normally doesn’t, administrative actions being performed at unusual hours, or data being moved between internal servers in a way that deviates from normal business patterns. These aren’t opportunistic smash-and-grab attacks; they are meticulously planned invasions, and that long, quiet reconnaissance is the most dangerous part.
In response to these events, Holland & Barrett created a dedicated “People behavior team.” Can you elaborate on the practical, day-to-day functions of such a team? What specific training programs or security awareness metrics do they use to measure their effectiveness?
The creation of a “People behavior team” is a brilliant and necessary evolution in security strategy. It’s an admission that technology alone isn’t enough. The day-to-day function of such a team is to foster a pervasive culture of security awareness. This goes far beyond a once-a-year training video. They would be running continuous, realistic phishing simulations to train employees to spot malicious emails. They’d be creating and disseminating real-time threat intelligence—for example, warning store managers about attackers impersonating IT staff, a tactic used by Scattered Spider. Their mission is to turn every employee into a human sensor for the security team. As for metrics, they would track the click-through rates on phishing tests, the number of employees who report suspicious activity, and the speed of that reporting. Seeing phishing attempts skyrocket from 20 to 300 a month, as Holland & Barrett did, provides a stark, quantifiable reason for this focus. Devoting a third of the entire security budget to this team is a powerful statement that the human element is no longer a soft skill but a hard-line defense.
M&S reported a £300m loss, and its chairman suggested other major attacks went unreported. Could you break down how costs accumulate so rapidly following a major breach? What are the primary business and legal factors that might lead a company to avoid disclosing a similar incident?
The £300m figure is staggering, and it’s a stark reminder that the cost of a breach goes far beyond any potential ransom payment. The primary driver is business interruption. M&S had to halt online orders for months; that’s a massive, direct hit to revenue. Then you have the colossal cost of incident response: hiring forensic experts, legal counsel, and professional intermediaries to negotiate, which M&S confirmed they did. There’s also the operational expense of rebuilding systems from the ground up, which took four months. On top of all that, there are potential regulatory fines and the long-term brand damage. As for why companies might not report, the M&S chairman’s comment that at least two other major attacks likely went undisclosed is very telling. Companies face immense pressure. A public disclosure can trigger a stock price collapse, shatter customer trust, invite regulatory scrutiny, and open the door to class-action lawsuits. The fear of that fallout can sometimes lead to a decision to handle the crisis quietly, even if it means concealing a significant financial and operational blow.
Do you have any advice for our readers?
My advice is to treat these events not as a distant news story but as an imminent blueprint for what could happen to any business. First, understand that if you’re in retail, you are in a target-rich environment. Don’t assume you’re too small or too secure. Second, accelerate your digital transformation. The difference between M&S’s four-month rebuild and Co-op’s rapid recovery is a powerful business case for migrating off legacy systems and into a modern, secure-by-design cloud environment. Third, invest heavily in your people. The “People behavior team” at Holland & Barrett is the model; social engineering is the primary way in, and a well-trained, vigilant workforce is your best first line of defense. Finally, build your communication network before a crisis hits. Join information-sharing groups, run unplanned crisis drills with your leadership team like AllSaints now does, and make sure everyone understands the threat. In today’s landscape, resilience is a team sport.
