Prominent British brands have struggled over recent weeks to get to grips with a spate of cyber attacks that put sensitive customer data at risk.
In the case of Marks & Spencers, they fell victim to an attack by the hacking group known as “Scattered Spider” amongst many names. Marks & Spencer or colloquially known as M&S was forced to take many key systems offline, in order to mitigate the impact; this resulted in empty store shelves and customers unable to use their website for online orders.
Specifics of the attack remain unclear – but the group are known for gaining unauthorised access to systems via social engineering, sim swap and MFA fatigue attacks. One of their biggest known attacks was against Caesars casino group in the U.S.A. They gained access to the sensitive data of millions of people, forcing Caesars to pay a ransom of 15 million US dollars.
In the case of Harrods, without giving too many details they announced they had detected unauthorised access to systems, and they had taken steps to limit access. So far there has been no clarification on whether sensitive data has been leaked.
Finally Co-op, a major UK retailer based in Manchester are suffering a major cyber attack reportedly by a group called “Dragon Force”. The attack is believed to be a “ransomware” attack, where highly sensitive data is either encrypted (changed so it is unreadable) or stolen. The attackers then demand a fee to de-encrypt the data, or threaten to release the stolen data unless the fee is paid.
In all three cases, the consequences of an attack are extremely serious. First is the risk of people linked to the stolen or illegally accessed data becoming victims of fraud. Second is the damage to brand reputation, the costs of which range from millions to unquantifiable. Finally there is the prospect of savage fines from the data regulators if they are found not to have taken proper steps to keep their IT systems secure.
Generally from a code and hardware perspective, computer systems are quite secure. Large companies spend millions building and designing well-architected systems that can resist most types of software based hacking. Encryption algorithms have never been more secure, and most programming languages have built in security features that are relatively easy for a competent software engineer to implement. The days of hackers being pizza eating geeks that sit in dark rooms surrounded by computer screens are pretty much over.
The weak point now is the people using the systems. In case of the M&S attack, access was supposedly gained via the helpdesk staff. If an attacker can get one users password, or other credentials then they can gain a foothold in the system. Once that happens further attacks involving privilege escalation occur until they have the access they require to achieve their aims – either installing a backdoor, or malware that can perform the ransom ware attack. Most systems assume if you have the right login details, you are supposed to be there, so permissions are pretty loose. When these are tightened up, the system users get frustrated – leading to lax practices, like password sharing, not logging in via secure methods like VPNs, or old users who shouldn’t have access not being removed.
These three companies have learned some very expensive and painful lessons – and hopefully other companies are taking notes, which in the long run will make things more secure for all of us.
We hope…
