Kevin BeaumontA wrote a piece about paying ransoms does not equal quick restoration - in fact, quite often it makes things worse. https://doublepulsar.com/big-game-ransomware-the-myths-experts-tell-board-members-03d5e1d1c4b7
Great NCSC piece by @ollie_whitehouse
I’d add - block by Entra policy specifically High risk logins (below is too FP prone), and SOC monitor them. SOC playbook = account probably compromised. How?
https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers
Sky News quote a source in M&S head office saying Marks and Spencer have no ransomware incident plan so they are making it up as they go along apparently, with staff sleeping in the office and communicating via WhatsApp.
M&S dispute this, saying they have robust business continuity plans.
BBC News has a look at teenagers phoning helpdesks and pretending to be the CISO. https://www.bbc.com/news/articles/c4grn878712o
One of the points of exploitation of large orgs is they usually outsource their Service Desk to somewhere cheap offshore who don’t know the org staff, and when you call and say your name, they normally put big all caps bold red warning if the person is a VIP, eg C suite, so they get VIP service - ie anything goes.
Co-op Group appear to be trying to course correct with their cyber incident comms.
They’re calling it a cyber incident now, and have put a statement on the front page of their website, along with an FAQ. They haven’t yet emailed members (they should). Edit: they’ve started emailing members.
It sounds like the situation at Co-op has got worse. They’ve stopped taking card payments in some stores, it’s cash only. https://www.telegraph.co.uk/business/2025/05/06/co-op-shops-stop-taking-card-payments-amid-cyber-attack/
People are also taking to social media to post pictures of apparently emptying store shelves.
The Co-op website claims it is down to "technical issues".
Contactless payment has been fixed at all Co-op Group stores.
One thing for media covering the Co-op thing - attackers are not impersonating IT help desks to gain access. They’re impersonating *staff* calling in to the IT help desks - they’re different things.
Co-op Group are redirecting supplies from their urban stores to remote and island locations due to stock shortages.
The article mentions their EDI platform is suffering “technical issues”. https://www.retailgazette.co.uk/blog/2025/05/co-op-reroutes-stock/
I just did a Shodan Safari on Co-op - basically all their Windows and Linux systems in their core DCs at network boundary are down, it's not just EDI. It's been like that for just under a week, prior to that things were still online.
I feel really bad for them as it's a great org. Also their CEO is basically the only one who stood up like this for trans people.
https://www.telegraph.co.uk/business/2025/05/04/ill-protect-trans-people-to-the-end-vows-co-op-boss/
If you're wondering about Marks and Spencer - I just did a Shodan Safari of their network boundary, Palo-Alto GlobalProtect VPN remote access access is still offline, 15 days later.
Online orders are still not working, and the store stock checker is disabled now.
Co-op have paused all non-essential products in stores https://www.retailgazette.co.uk/blog/2025/05/co-op-non-essential/
Every detail in this article is wrong. The M&S incident had nothing to do with hybrid working.
Marks and Spencer’s online shopping is still offline 3 weeks later. It is thought they have lost around £63m so far, excluding IR, BCP and ransom payment costs. https://www.drapersonline.com/news/ms-online-shopping-outage-enters-third-week
M&S had a significant amount of data stolen btw, but they’ve opted not to tell customers or staff.
The Grocer reports 4 regional Co-ops, who aren’t part of Co-op Group, are suffering stock shortages as they are supplied by Co-op Group.
They expect customers to start to see availability issues on shelves in the coming days.
For orgs looking for defence tips for the attacks on UK retailers, this blog from 2022 about the UK teenagers in LAPSUS$ has relevance.
As a plot twist - not documented anywhere online, but LAPSUS$ first attacks in 2021 were against UK high street retailers.
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction | Microsoft Security Blog
The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads.
For anybody wondering what 'dial into the incident response bridge' means, it means they'll literally Teams call into cyber IR bridges as themselves and just extort you to your face. They'll also call CISOs etc. Bad Times at the El Royale.
Marks & Spencer bureau de change staff are being forced to use pen and paper to serve customers as a result of the cyber attack on the retailer and cannot accept card payment. https://www.thisismoney.co.uk/money/markets/article-14696595/Hack-rocks-Marks-Spencer-bureau-change.html
Co-op Group have provided some more detail about what it’s doing about remote lifeline stores (ones where they’re the main/only retailer on an island):
“From Monday, 12 of the most remote lifeline stores will receive treble the volume of available product, and another 20 lifeline stores will get double the volume.” https://www.bbc.com/news/articles/c071e7x80djo
DragonForce Ransomware Cartel’s portal is back online after a multi week outage. No sign of M&S or Co-op’s data.
All M&S recruitment is still stopped, 19 days in. https://jobs.marksandspencer.com/
I think Co-op may have stopped recruitment too, they’re a big employer so usually have hundreds of open positions - currently they have 17, and most close today and the rest in a few days.
The Record quotes a Co-op worker as saying they are operating at well below 20% of their normal capacity in depots. https://therecord.media/co-op-cyberattack-uk-company-fears-hackers-still-in-system
Allianz supplies Marks and Spencer's cyber insurance, and will apparently suffer a full tower loss (i.e. it's going to be expensive) https://www.insuranceinsider.com/article/2esiwg4yv6p38pcf2pgxs/lines-of-business/cyber/allianz-leads-cyber-cover-for-m-s-ransomware-attack
People in Machynlleth are apparently turning up at local farms in search of food due to lack of produce at Co-op https://www.cambrian-news.co.uk/news/cyber-attack-people-turning-up-at-farms-as-machynlleth-co-op-shelves-remain-bare-792434
Co-op stores in Sheffield, Badenoch, Dunfermline and many other places are apparently running out of produce - it's not possible to keep up with the local media reports but they're basically bored reporters get sent out to photograph half empty fridges.
This ITV News report linking the Co-op and M&S breaches to SIM swapping is not accurate, no source given. https://www.itv.com/news/2025-05-12/sim-swap-fraud-rises-by-1000-as-criminals-exploit-two-factor-authentication
They also have a report today saying Co-op stores are restocked, which is also not accurate - that one is sourced from Co-op, but obviously doesn’t stack up to looking in Co-op stores.
If anybody is wondering, all of Marks and Spencer's Palo-Alto GlobalProtect VPN boxes are still offline, 3 weeks later. Pretty good containment method to keep attackers out.
Co-op's VDE environment is still down, too.
https://cyberplace.social/@GossiTheDog/114399017367179104
M&S confirm my toot from 3 days ago that a significant amount of customer and staff data was stolen. They’ve known for weeks but opted not to tell anybody. https://www.bbc.com/news/articles/c62v34zv828o
Re the Co-op Group breach, Co-op say home addresses of customers were exfiltrated (it was the membership database). This one dates back to my May 2nd toot upthread re home addresses - at the time, they didn't specify home addresses.
Co-op's AGM is this weekend, and M&S yearly results and investor contact are next week.
Gonna be awkward for different reasons, e.g. Co-op is member (customer) owned, so the people's data Co-op had stolen are effectively the shareholders and are invited.
The Channel Islands Coop, which is different to Co-op Group, has been able to restock shelves by moving away from Co-op Group for supply distribution and moving to local suppliers. https://www.bbc.co.uk/news/articles/c3d4xvg3x1do
The Grocer reports Nisa and Costcutter are running out of fruit & veg, fresh meat and poultry, dairy products, chilled ready meals, snacks and desserts.
Nisa and Costcutter are supplied by Co-op Wholesale, which is dependent on Co-op Group.
“It’s really poor. I feel bad for them but what makes it worse is their hush-hush mentality about it. There’s no proper level of communication and we get random updates.”
Co-op Wholesale claim there are no problems. https://www.thegrocer.co.uk/news/nisa-and-costcutter-hit-by-stock-shortages-amid-co-op-cyberattack/704393.article
A look at supplies in stores today, after Co-op told ITV yesterday that stores were restocked 😅
And a video
Co-op Group have told their suppliers that "systemic-based orders will resume for ambient, fresh, and frozen products commencing Wednesday 14 May". They say forecasting system will still be impacted.
https://www.thegrocer.co.uk/news/co-op-to-get-systems-back-on-track-after-cyberattack/704425.article
Financial Times report Marks and Spencer expect to claim £100m on their cyber insurance, the maximum allowed, suggesting losses probably more. https://www.ft.com/content/723b6195-1ce7-4b5f-94f5-729e9152c578
Co-op Group say they have exited containment and begun recovery phase https://www.theguardian.com/business/2025/may/14/co-op-cyber-attack-stock-availability-in-stores-will-not-improve-until-weekend
Marks and Spencer are still in containment
If you want figures for your board to set expectations in big game ransomware incidents, Co-op containment just over 2 weeks, M&S just over 3 weeks so far - recovery comes after.
In terms of external assistance, Co-op have Microsoft Incident Response (DART), KPMG and crisis comms. M&S have CrowdStrike, Microsoft, Fenix and crisis comms.
The threat actor at Co-op says Co-op shut systems down, which appears to have really pissed off the threat actor. This was the right, and smart, thing to do.
While I was at Co-op we did a rehearsal of ransomware deployment on point of sale devices with the retail team, and the outcome was a business ending event due to the inability to take payments for a prolonged period of time. So early intervention with containment was the right thing to do, 100%.
Co-op Group recruitment looks like it is starting again, first new roles in two weeks posted. https://hcnq.fa.em2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX/jobs
Marks and Spencer say food distribution to their stores is returning to normal. It follows Co-op's announcement yesterday that food and drink distribution will begin to return to normal from the weekend. https://www.reuters.com/business/retail-consumer/uks-ms-says-food-availability-improving-every-day-2025-05-15/
27 new jobs at Co-op added today, and it's only midday. So recruitment was definitely paused for two weeks and now active again.
M&S have finally told staff that data about themselves was stolen: https://www.telegraph.co.uk/business/2025/05/16/ms-staff-data-stolen-by-hackers-in-cyber-attack/
You may notice I said they had staff data stolen on May 9th in this thread.
For the record, the tools listed in this article aren't used by Co-op.
The link in the article to Vectra Cognito AI has a Coop Sweden logo on it, and the Coop Sweden CISO is named. Coop Sweden is different company. Coop Sweden went on to have a ransomware attack that crippled the org, including point of sale, so I don't think it's a good sales point. Same with Silverfort.
Google AI has ingested the article and now uses it to claim Co-op Group use the tools.
M&S recruitment is still fully stopped, almost a month in. Co-op opened 46 new vacancies today.
Marks and Spencer’s CEO will lose a £1.1m share grant as a result of their cyber incident. https://www.ft.com/content/43531d25-4f7a-4d6e-b809-e85bb8f0033e
The Times reports M&S were breached through a contractor and that human error is to blame. (Both M&S and Co-op use TCS for their IT Service Desk).
The threat actor went undetected for 52 hours. (I suspect detection was when their ESXi cluster got encrypted).
M&S have told the Times they had no “direct” communication with DragonForce, which is code for they’re using a third party to negotiate - standard practice.
https://www.thetimes.com/uk/technology-uk/article/m-and-s-boss-cyber-attack-7d9hvk6ds
M&S looks to be moving to reposition their incident as a third party failure, which I imagine will help redirect some of the blame (they present their financial results during the week to investors): https://www.bbc.co.uk/news/articles/cpqe213vw3po
Both M&S and Co-op outsourced their IT, including their Service Desk (helpdesk), to TCS (Tata) around 2018, as part of cost savings.
There's nothing to suggest TCS itself have a breach btw.
Basically, if you go for the lowest cost helpdesk - you might want to follow the NCSC advice on authenticating password and MFA token resets.
I've put a 3 part deep dive blog series coming out probably next week called Living-Off-The-Company, which is about how teenagers have realised large orgs have outsourced to MSPs who follow the same format of SOP documentation, use of cloud services etc. Orgs have introduced commonality to surf.
The Office of the Privacy Commissioner for Personal Data (PCPD) has confirmed that Marks and Spencer (M&S) Hong Kong has not informed it of a recent customer data leak, nor responded to its enquiries. https://hongkongfp.com/2025/05/19/ms-hong-kong-not-responding-to-privacy-commissioners-office-after-online-customer-data-breach/
"Cyber analysts and retail executives said the company had been the victim of a ransomware attack, had refused to pay - following government advice - and was working to reinstall all of its computer systems."
Not sure who those analysts are, but since DragonForce haven't released any data and M&S won't comment other than to say they haven't had any "direct" contact with DragonForce, I wouldn't make that assumption.
There's also a line in the article from an cyber industry person saying "if it can happen to M&S, it can happen to anyone" - it's ridiculous and defeatist given Marks and Spencer haven't shared any technical information about how it happened, other than to tell The Sunday Times it was "human error"
The Air Safety version of cyber industry would be a plane crashing into 14 other planes, and industry air safety people going "Gosh, if that can happen to British Airways it could happen to anybody!"
Tomorrow it’s one month since Marks and Spencer started containment, it’s also their financial results day.
Online ordering still down, all recruitment stopped, Palo-Alto VPNs still offline.
TCS have been linked to the Marks and Spencer breach, at least in part.
I made this point a few weeks ago, but... outsourcing all your IT, Networks, Service Desk (helpdesk) and operational cybersecurity is a temporary cost saving and basically paints a ticking timebomb on the org, IMHO.
M&S say online ordering will be stopped until sometime in July, and it has taken a £300m hit, far higher than analysts had predicted. https://www.bbc.co.uk/news/articles/c93llkg4n51o
Graham Sutherland / Polynomial@GossiTheDog I must admit to not being particularly enamoured by the overall concept of third party identity security services.
Fennix@GossiTheDog how do in register a future "I told you so" without disclosing who it's for? Asking for a friend...
Otte Homan - remember Geordie@GossiTheDog unless maybe you outsource, but to a bunch of different providers, spreading risk? ie use local OpenLDAP as an organisation management tool (does not eerste a huge amount of resources, then set up mail with A, storage with B, web with C, etc. ?
Dave 🐶@GossiTheDog I can imagine many business leaders going "oh, it's okay, we don't use TCS, we have another outsourced supplier..."
Michael Kohlman@GossiTheDog Want to guess how much of my IT leadership career has been focused on building in-house expertise and dialing back the presence of MSPs?
Enough that it's made for a pretty good living...
Indieterminacy@GossiTheDog Its rather hypocritical that the Coop would be wading into the outsourcing game
Joel Michael@GossiTheDog Every company is a computer company now
Ray—Golden Retriever Whisperer—🔝Insights@GossiTheDog when I got my business degree, one of my management profs said that the instant you outsource, you give up control. To the service provider, you move from income to liability on the balance sheet because you now are costing them money, and to eke out any profit they need to cut costs related to providing service to you.
Thus you get all this *gestures vaguely*
vksxypants@GossiTheDog I'm guessing it's a liability thing? I.e. they can recover a significant chunk of the losses from TCS contractually?
Colin Macleod@GossiTheDog "paints a ticking timebomb" - bit of a mixed metaphor, could be "paints a target" or "plants a ticking timebomb" ? 😎
The shortsightedness of outsourcing everything is undeniable though!
O'Schell@GossiTheDog I would buy one of those action that goes up when it goes done ! Would that be considered 'outsider trading' ?
JP@GossiTheDog They are still within the contract sla period for a response from the outsourced help desk. Sorry. But the contract sla only covers time to first response to the ticket not when the ticket will be done. Also orders for that many new machines exceeds the average % of requests and so is subject to delays from the equipment supplier
Alex 
@GossiTheDog I would love for IT to publish accident investigation reports in the same way as aviation.
No blame, no liability, no finger pointing, just lessons for everyone to learn and hopefully avoid the same.
(I know there have been some like the Irish Health Service that were excellent.)
Matthew Skelton@GossiTheDog yeah, breach the "low cost" IT outsourcer - whose staff feel little connection or affinity with the corporate customer - and *bingo* you hit the jackpot 🎰 with multiple corporate accounts to ransom.
How's that "low cost IT outsourcing" looking now?
Roger BW 😷@matthewskelton @GossiTheDog Of course, make it clear how little you care about your in-house support staff and the same problem arises.
@RogerBW @GossiTheDog oh for sure. It's always seemed weird to me that orgs treat IT admin as low skilled. They are the info front line - you need some of the best people in that position or you're fscked.
Chris Pitts@matthewskelton @GossiTheDog Chickens. Home. Roost. Or something like that 🐓🏠💥
*sigh*Ber nard@GossiTheDog One of the big MSP's from India was adamant:
1. Personnel is not allowed to store passwords.
2. Must use unique passwords for every service.
3. Passwords must rotate every X days.
4. Only sanctioned apps are allowed.
5. No password manager is sanctioned or installed by default.
1. Personnel is not allowed to store passwords.
2. Must use unique passwords for every service.
3. Passwords must rotate every X days.
4. Only sanctioned apps are allowed.
5. No password manager is sanctioned or installed by default.
@GossiTheDog I recall it was a "TCS_80_ip" list in Entra Id marked "Trusted"/"MFA exempt" that contained 80 ranges from /15 to /24...
Yet happily pivoting through 3 layer deep RDP to get to a system to manage 
Fritz Adalis@GossiTheDog Something, something, can't outsource risk.
⊥ᵒᵚ⁄Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️@GossiTheDog is there a non #paywall source for that?
Billy Smith
caskfan@GossiTheDog paywall 😭
Chris
Marcus The Board Gamer
MattChippytea@GossiTheDog having recently dealt with TCS, nothing would surprise me.
beemoh@GossiTheDog No direct contact with DragonForce? I'm sure they'll drag them Through The Fire And The Flames over this one.
Ollie 🇪🇺🏳️🌈🏳️⚧️🇵🇸🇺🇦@GossiTheDog As a Co-op member, I'm very happy to see them getting back to business
Rob\Viewdata UK@GossiTheDog
This was yesterday evening in my local co-op store (close to central Manchester.) Still lots of empty spaces on the shelves.
This was yesterday evening in my local co-op store (close to central Manchester.) Still lots of empty spaces on the shelves.
Gary Parker 
@GossiTheDog And I was expecting the first vacancy to be CTO 😆
Philipp Blum@GossiTheDog Those who know this is going to become more and more.
Ben HammondThe quote
> They torched shareholder value
made me laugh
they have no idea what the Coop is
XCondE@benh @GossiTheDog I have no idea either. Do you have a TL;DR? What's the relation between Coop and Co-op?
Damien@GossiTheDog wait, they both have professional crisis comms? They appear to be overpaying them...
David Krause@damien @GossiTheDog I would say most breach and ransomware victims hire a professional crisis comms vendor. It's another whole sub-industry of the ransomware industry. And those vendors do the opposite of what most cyber people would want. Mostly doing minimal statements, trying to kill stories, and less communication.
@GossiTheDog
Confident on containment within 2 weeks?
Confident on containment within 2 weeks?
Dr. Christopher Kunz@GossiTheDog I will henceforth not do anything differntly and therefore continue not to be a Harrods customer.
Ivor Hewitt@GossiTheDog exactly... They should be talking to the butler.