Kevin BeaumontTCS have been linked to the Marks and Spencer breach, at least in part.
×
I made this point a few weeks ago, but... outsourcing all your IT, Networks, Service Desk (helpdesk) and operational cybersecurity is a temporary cost saving and basically paints a ticking timebomb on the org, IMHO.
M&S say online ordering will be stopped until sometime in July, and it has taken a £300m hit, far higher than analysts had predicted. https://www.bbc.co.uk/news/articles/c93llkg4n51o
Their CEO has commented they’ve drawn a line under the hack, without recovering, which has a bit of this energy honestly
The NCA has confirmed on the record that the investigation into the M&S and Co-op hack is focused on English teenagers. I could toot the names of the people I think they’ll pick up, but won’t.
The CEO of M&S has declined to comment if they have paid a ransom. For the record: I’ve heard they have, in secret, via their insurance. https://www.reuters.com/business/retail-consumer/ms-says-cyber-attack-was-result-human-error-declines-comment-ransom-2025-05-21/
Co-op Group announces it's getting rid of paper prices in stores, going to electric displays. Good luck during a ransomware incident 😒
TCS has a security incident running around the M&S breach.
Interestingly the source claims TCS aren't involved in Co-op's IT - which is categorically false, they took over most of it while I worked there, including the helpdesk, and my team (SecOps) after I left.
https://www.ft.com/content/c658645d-289d-49ee-bc1d-241c651516b0
Insurance Insider say Co-op Group have no cyber insurance policy.
It’s got the insurance industry hard as they think they can ambulance chase other orgs with it.
Seven weeks in, Marks and Spencer still have recruitment closed, online orders stopped and no Palo-Alto GlobalProtect VPN.
While Co-op have restored every customer facing system and internal systems like recruitment and remote working, M&S still don't even have recruitment back.
I'm reliably told they paid the ransom, so they'll be target #1 basically forever with other ransomware groups now due to resiliency woes and willingness to pay.
Marks and Spencer's remuneration committee have opted not to dock the CEOs pay as expected and prior reported over the cyber incident, but instead increased it by £2m.
https://www.bbc.co.uk/news/articles/c23mz5eg091o
https://www.bbc.co.uk/news/articles/c23mz5eg091o
Marks & Spencer is holding walk-in in-store recruitment open days to fill vacant roles while its online hiring system remains offline following its ransomware attack in April. https://www.thegrocer.co.uk/news/mands-stores-staging-walk-in-recruitment-open-days-amid-cyberattack-disruption/705189.article
This Daily Mail piece about security leaders thinking work-from-home means they will be crippled is horseshit, I'm not linking it.
They've taken a survey about how security people think their businesses couldn't survive ransomware, and linked it to working from home. WFH isn't the problem: business IT and resilience being built on quicksand is the problem.
Craig Stewart@GossiTheDog the daily mail publishing click bait headlines with sensationalist takes that fit the narrative the rich and powerful want to push? Who could have predicted that ahead of time?
SecureWaffle🧇@GossiTheDog
Sounds like their companies rely on a hard outer shell and a squishy inside defense and nearly no layers of security.
Sounds like their companies rely on a hard outer shell and a squishy inside defense and nearly no layers of security.
piofthings@GossiTheDog anything to discredit wfh!
Bebadefabo@GossiTheDog bankers are so afraid of WFH destroying the commercial real estate market, they'll pay for all kinds of bogus studies and make sure they get published and repeated far and wide to attempt to stop the wave of progress and modernization that is WFH. WFH is better for EVERYONE except the bankers who own your office. Fuck them. Fuck companies that capitulate to bankers and enact RTO policies to get preferential lending rates. Stay home
fuzzyfuzzyfungus@GossiTheDog Looks like a product of the "a good lie contains as much truth as possible" school.
The connection to WFH is spurious; but only two thirds sounds low for "We don't really understand our problems; but they are probably apocalyptic".
Ed@GossiTheDog only two thirds of security leaders think that if they got successfully ransomwared that it could 'cripple' their business? I guess some people are just really confident in their incident response.
@GossiTheDog The 'WFH' allegations seem in especially bad faith given the suspected entry point for the M&S compromise: the outsourced helpdesk.
Those guys are even more compliant labor than work-not-from-home employees, so the Daily Heil isn't going to say anything; but lack even the (informal; but in practice often at least reasonably effective) "does the IT person you just poked recognize who is interrupting with a password question?" ID verification step with onsite workers and onsite IT.
Misuse Case@fuzzyfuzzyfungus @GossiTheDog Indeed, the way many organizations get got is through poorly secured third-party service providers. Not employees doing WFH.
VessOnSecurity@GossiTheDog Just about everything Daily Mail publishes is horseshit.
Alun Jones@GossiTheDog I could draft an opposing headline about how ransomware and cyber threats will naturally proliferate faster and more easily within a physical network than it will in a distributed environment.
It wouldn't be the whole story either, but it's just as true.
It wouldn't be the whole story either, but it's just as true.
@ftp_alun @GossiTheDog There are also the organizations where basically everyone is 'remote' relative to the cloud stuff that is what actually matters and will either be fine or irrecoverably paved depending on how you configured it and whether or not the AWS/Azure admin creds got compromised.
Endpoints are high hassle per unit change; and nobody staffs IT such that they can replace or reimage them all at once; but unless it's really the dark ages just swapping or paving is usually fine.
@GossiTheDog its always so funny bc with current technology there could be really no difference someone break in and use workplace vs break in and use home work station (some could even say properly deployed WFH setups could be even more protected than onsite devices where no one really cares) ^^
Michael Graham@GossiTheDog dammit I read WFH as Waffle House in my head and now I can’t stop
Jamie Dowling@GossiTheDog The Daily Mail is pretty much horse 💩 from cover to cover. As a sketch song about newspapers by comedian Rory Bremner years ago said, "Why don't they print it all in brown? That's the colour crap is!"
lfzz@GossiTheDog wasn't there some event, maybe 5 years ago, that meant a lot of WFH? Or did I hallucinate those times.
Is it suddenly a problem now or this is the same RTO bullshit being peddled?
Pino Carafa@GossiTheDog I WFH 100% of the time. I never connect to an office "network". The only way I could spread any form of malicious payload to my colleagues is through shared communications platforms which not only requires ME to fuck up so that my account is used to send that payload to others, but it then requires the recipients to ALSO screw up and make mistakes like open dodgy links or attachments. WFH provises an additional buffer to protect an organisation, in my opinion.
Martin Vermeer FCD@GossiTheDog Nice job if you can get it
Dylan </closingtags.com>@GossiTheDog Incredible. I'm sure the blame will be passed on to some lowly IT personnel and the leadership will take none of it. Leadership loves taking credit for profits but when it comes to losses, that's not on them.
Merry ChristmasMarks and Spencer abandoned my city to take themselves out in the sticks where the only way to get to them from here, is by car, so I have abandoned Marks and Spencer's, they have nothing really original anyway.
@GossiTheDog The greatest lie Office Space ever told is that "What would you say you do here?" is primarily a question to be asked down rather than up.
@GossiTheDog I guess, compared to that, paying the ransom was just peanuts, yes?
AnneH@bontchev @GossiTheDog haha pay the CEO eye-watering amounts so that if you get ransomed it's cheap😂
sigi714@GossiTheDog RaaCEOS
Joel Michael@GossiTheDog CISO is an ablative role
Otte Homan - remember Geordie@GossiTheDog we/they/someone/anyone *really* need to think very hard about how to properly redo absolutely secure internet facing IT systems.
Alan Miller 
🇺🇦@GossiTheDog guess they're going to need to fully embrace "it's *when* you get hacked not *if* you get hacked."
groff 🇺🇦@GossiTheDog If they paid it did them precisely no good and put an even bigger target on their back. Stupid decision that will see their premiums go up massively.
@GossiTheDog any indication that the Sophos report here: https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/ is linked to TCS?
JP@GossiTheDog The sla got reset because the helpdesk marked the ticket closed, reopen if the problem persists.
@GossiTheDog That is really surprising. I wonder why they didn't?
Dave 🐶@GossiTheDog TCS will find a low-level engineer/analyst and their manager to fire. Say they've dealt with it and it'll never happen again.
NewkTake something from the shelf and when you reach the checkout, it costs twice as much! Nice!
HighlandLawyer@Newk @GossiTheDog
Which in the UK would be a criminal offence (under the law as it currently stands).
Which in the UK would be a criminal offence (under the law as it currently stands).
Ivor Hewitt@GossiTheDog I guess it's low risk since the electronic displays are basically paper - Dumb eink displays that you update via RFID from a handheld. (The ones I saw in the local coop worked that way anyway.)
Jernej Simončič �@ivor @GossiTheDog 3 or 4 years ago I was doing some IT work at a client while they had a demonstration of these eInk price displays. Those updated through IR, with special lamp fixtures with lots of mirrors on the ceiling – quite interesting technology, and I've since noticed those lamps at retailers that use this type of price displays. This can be tied directly into ERP, so as soon as you change the price in your accounting software, it can be changed on the shelf.
RichBartlett 
@GossiTheDog and so the ransomware machine grinds on. Ffs.
Richard Bairwell@GossiTheDog > I could toot the names of the people I think they’ll pick up, but won’t. < Encrypt them with GPG and release the key afterwards?
Flippin' 'eck, Tucker!@GossiTheDog I took that to mean that they (or more likely the analysts they hired) have concluded it's cheaper/quicker/safer to rebuild new systems from scratch than to continue any further recovery. So drawing a line in a financial & investigative sense, rather than saying that £300 million is just a scratch.
@GossiTheDog And rebuilding from the ground up would seem to tie in with their statement about online orders being unavailable until at least July and then "ramping up" after that.
Graham Sutherland / Polynomial@GossiTheDog I must admit to not being particularly enamoured by the overall concept of third party identity security services.
Fennix@GossiTheDog how do in register a future "I told you so" without disclosing who it's for? Asking for a friend...
@GossiTheDog I can imagine many business leaders going "oh, it's okay, we don't use TCS, we have another outsourced supplier..."
Michael Kohlman@GossiTheDog Want to guess how much of my IT leadership career has been focused on building in-house expertise and dialing back the presence of MSPs?
Enough that it's made for a pretty good living...
@GossiTheDog Its rather hypocritical that the Coop would be wading into the outsourcing game
@GossiTheDog Every company is a computer company now
@jpm @GossiTheDog this is how we know the species is doomed.
Ray—Golden Retriever Whisperer—🔝Insights@GossiTheDog when I got my business degree, one of my management profs said that the instant you outsource, you give up control. To the service provider, you move from income to liability on the balance sheet because you now are costing them money, and to eke out any profit they need to cut costs related to providing service to you.
Thus you get all this *gestures vaguely*