Osma A 🇫🇮🇺🇦Using early 2000s security posture, staff working from offices are an incredible risk to the organization. They will be compromised just as fast there, while also being inside a physical perimeter.
@Walker @GossiTheDog
@Walker @GossiTheDog
×
Kevin BeaumontHarrods say they are not asking customers to do anything differently at this point.
Financial Times report Marks and Spencer expect to claim £100m on their cyber insurance, the maximum allowed, suggesting losses probably more. https://www.ft.com/content/723b6195-1ce7-4b5f-94f5-729e9152c578
Co-op Group say they have exited containment and begun recovery phase https://www.theguardian.com/business/2025/may/14/co-op-cyber-attack-stock-availability-in-stores-will-not-improve-until-weekend
Marks and Spencer are still in containment
If you want figures for your board to set expectations in big game ransomware incidents, Co-op containment just over 2 weeks, M&S just over 3 weeks so far - recovery comes after.
In terms of external assistance, Co-op have Microsoft Incident Response (DART), KPMG and crisis comms. M&S have CrowdStrike, Microsoft, Fenix and crisis comms.
The threat actor at Co-op says Co-op shut systems down, which appears to have really pissed off the threat actor. This was the right, and smart, thing to do.
While I was at Co-op we did a rehearsal of ransomware deployment on point of sale devices with the retail team, and the outcome was a business ending event due to the inability to take payments for a prolonged period of time. So early intervention with containment was the right thing to do, 100%.
Co-op Group recruitment looks like it is starting again, first new roles in two weeks posted. https://hcnq.fa.em2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX/jobs
Marks and Spencer say food distribution to their stores is returning to normal. It follows Co-op's announcement yesterday that food and drink distribution will begin to return to normal from the weekend. https://www.reuters.com/business/retail-consumer/uks-ms-says-food-availability-improving-every-day-2025-05-15/
27 new jobs at Co-op added today, and it's only midday. So recruitment was definitely paused for two weeks and now active again.
M&S have finally told staff that data about themselves was stolen: https://www.telegraph.co.uk/business/2025/05/16/ms-staff-data-stolen-by-hackers-in-cyber-attack/
You may notice I said they had staff data stolen on May 9th in this thread.
For the record, the tools listed in this article aren't used by Co-op.
The link in the article to Vectra Cognito AI has a Coop Sweden logo on it, and the Coop Sweden CISO is named. Coop Sweden is different company. Coop Sweden went on to have a ransomware attack that crippled the org, including point of sale, so I don't think it's a good sales point. Same with Silverfort.
Google AI has ingested the article and now uses it to claim Co-op Group use the tools.
M&S recruitment is still fully stopped, almost a month in. Co-op opened 46 new vacancies today.
Marks and Spencer’s CEO will lose a £1.1m share grant as a result of their cyber incident. https://www.ft.com/content/43531d25-4f7a-4d6e-b809-e85bb8f0033e
The Times reports M&S were breached through a contractor and that human error is to blame. (Both M&S and Co-op use TCS for their IT Service Desk).
The threat actor went undetected for 52 hours. (I suspect detection was when their ESXi cluster got encrypted).
M&S have told the Times they had no “direct” communication with DragonForce, which is code for they’re using a third party to negotiate - standard practice.
https://www.thetimes.com/uk/technology-uk/article/m-and-s-boss-cyber-attack-7d9hvk6ds
M&S looks to be moving to reposition their incident as a third party failure, which I imagine will help redirect some of the blame (they present their financial results during the week to investors): https://www.bbc.co.uk/news/articles/cpqe213vw3po
Both M&S and Co-op outsourced their IT, including their Service Desk (helpdesk), to TCS (Tata) around 2018, as part of cost savings.
There's nothing to suggest TCS itself have a breach btw.
Basically, if you go for the lowest cost helpdesk - you might want to follow the NCSC advice on authenticating password and MFA token resets.
I've put a 3 part deep dive blog series coming out probably next week called Living-Off-The-Company, which is about how teenagers have realised large orgs have outsourced to MSPs who follow the same format of SOP documentation, use of cloud services etc. Orgs have introduced commonality to surf.
The Office of the Privacy Commissioner for Personal Data (PCPD) has confirmed that Marks and Spencer (M&S) Hong Kong has not informed it of a recent customer data leak, nor responded to its enquiries. https://hongkongfp.com/2025/05/19/ms-hong-kong-not-responding-to-privacy-commissioners-office-after-online-customer-data-breach/
"Cyber analysts and retail executives said the company had been the victim of a ransomware attack, had refused to pay - following government advice - and was working to reinstall all of its computer systems."
Not sure who those analysts are, but since DragonForce haven't released any data and M&S won't comment other than to say they haven't had any "direct" contact with DragonForce, I wouldn't make that assumption.
There's also a line in the article from an cyber industry person saying "if it can happen to M&S, it can happen to anyone" - it's ridiculous and defeatist given Marks and Spencer haven't shared any technical information about how it happened, other than to tell The Sunday Times it was "human error"
The Air Safety version of cyber industry would be a plane crashing into 14 other planes, and industry air safety people going "Gosh, if that can happen to British Airways it could happen to anybody!"
Tomorrow it’s one month since Marks and Spencer started containment, it’s also their financial results day.
Online ordering still down, all recruitment stopped, Palo-Alto VPNs still offline.
TCS have been linked to the Marks and Spencer breach, at least in part.
I made this point a few weeks ago, but... outsourcing all your IT, Networks, Service Desk (helpdesk) and operational cybersecurity is a temporary cost saving and basically paints a ticking timebomb on the org, IMHO.
M&S say online ordering will be stopped until sometime in July, and it has taken a £300m hit, far higher than analysts had predicted. https://www.bbc.co.uk/news/articles/c93llkg4n51o
Graham Sutherland / Polynomial@GossiTheDog I must admit to not being particularly enamoured by the overall concept of third party identity security services.
Fennix@GossiTheDog how do in register a future "I told you so" without disclosing who it's for? Asking for a friend...
Dave 🐶@GossiTheDog I can imagine many business leaders going "oh, it's okay, we don't use TCS, we have another outsourced supplier..."
Michael Kohlman@GossiTheDog Want to guess how much of my IT leadership career has been focused on building in-house expertise and dialing back the presence of MSPs?
Enough that it's made for a pretty good living...
Indieterminacy@GossiTheDog Its rather hypocritical that the Coop would be wading into the outsourcing game
Joel Michael@GossiTheDog Every company is a computer company now
Ray—Golden Retriever Whisperer—🔝Insights@GossiTheDog when I got my business degree, one of my management profs said that the instant you outsource, you give up control. To the service provider, you move from income to liability on the balance sheet because you now are costing them money, and to eke out any profit they need to cut costs related to providing service to you.
Thus you get all this *gestures vaguely*
vksxypants@GossiTheDog I'm guessing it's a liability thing? I.e. they can recover a significant chunk of the losses from TCS contractually?
Colin Macleod@GossiTheDog "paints a ticking timebomb" - bit of a mixed metaphor, could be "paints a target" or "plants a ticking timebomb" ? 😎
The shortsightedness of outsourcing everything is undeniable though!
O'Schell@GossiTheDog I would buy one of those action that goes up when it goes done ! Would that be considered 'outsider trading' ?
JP@GossiTheDog They are still within the contract sla period for a response from the outsourced help desk. Sorry. But the contract sla only covers time to first response to the ticket not when the ticket will be done. Also orders for that many new machines exceeds the average % of requests and so is subject to delays from the equipment supplier
Alex 
@GossiTheDog I would love for IT to publish accident investigation reports in the same way as aviation.
No blame, no liability, no finger pointing, just lessons for everyone to learn and hopefully avoid the same.
(I know there have been some like the Irish Health Service that were excellent.)
Misuse Case@GossiTheDog The “human error” is the humans in the boardroom and the C-suite not putting sufficient effort or resources into securing their networks.
Matthew Skelton@GossiTheDog yeah, breach the "low cost" IT outsourcer - whose staff feel little connection or affinity with the corporate customer - and *bingo* you hit the jackpot 🎰 with multiple corporate accounts to ransom.
How's that "low cost IT outsourcing" looking now?
Roger BW 😷@matthewskelton @GossiTheDog Of course, make it clear how little you care about your in-house support staff and the same problem arises.
@RogerBW @GossiTheDog oh for sure. It's always seemed weird to me that orgs treat IT admin as low skilled. They are the info front line - you need some of the best people in that position or you're fscked.
Chris Pitts@matthewskelton @GossiTheDog Chickens. Home. Roost. Or something like that 🐓🏠💥
*sigh*Ber nard@GossiTheDog One of the big MSP's from India was adamant:
1. Personnel is not allowed to store passwords.
2. Must use unique passwords for every service.
3. Passwords must rotate every X days.
4. Only sanctioned apps are allowed.
5. No password manager is sanctioned or installed by default.
1. Personnel is not allowed to store passwords.
2. Must use unique passwords for every service.
3. Passwords must rotate every X days.
4. Only sanctioned apps are allowed.
5. No password manager is sanctioned or installed by default.
@GossiTheDog I recall it was a "TCS_80_ip" list in Entra Id marked "Trusted"/"MFA exempt" that contained 80 ranges from /15 to /24...
Yet happily pivoting through 3 layer deep RDP to get to a system to manage 
AnneH@GossiTheDog I wonder would there be a drop in threat activity if someone made sure all teenagers are in school/training/work/at a youthclub (if there were any).
Fritz Adalis@GossiTheDog Something, something, can't outsource risk.
sunflowerinrain@GossiTheDog
Argh, flashbacks to trying to convince directors that outsourcing IT is bad. Very bad.
Argh, flashbacks to trying to convince directors that outsourcing IT is bad. Very bad.
Olivier Mengué@sunflowerinrain @GossiTheDog I've seen a full remote tech company where IT was outsourced, and the contract was managed by HR. Like if the CEO didn't trust the engineers (building the product).
⊥ᵒᵚ⁄Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️@GossiTheDog is there a non #paywall source for that?
Billy Smith
caskfan@GossiTheDog paywall 😭
Chris
Marcus The Board Gamer
beemoh@GossiTheDog No direct contact with DragonForce? I'm sure they'll drag them Through The Fire And The Flames over this one.
@GossiTheDog “we aren’t a computer company, so off to India / China / Vietnam / Philippines / etc for all this non-core-business shit”
…
“Why company not run without computers? Who did this?”
Ollie 🇪🇺🏳️🌈🏳️⚧️🇵🇸🇺🇦@GossiTheDog As a Co-op member, I'm very happy to see them getting back to business
Rob\Viewdata UK@GossiTheDog
This was yesterday evening in my local co-op store (close to central Manchester.) Still lots of empty spaces on the shelves.
This was yesterday evening in my local co-op store (close to central Manchester.) Still lots of empty spaces on the shelves.
Gary Parker 
@GossiTheDog And I was expecting the first vacancy to be CTO 😆
Philipp Blum@GossiTheDog Those who know this is going to become more and more.
Ben HammondThe quote
> They torched shareholder value
made me laugh
they have no idea what the Coop is
@GossiTheDog
Confident on containment within 2 weeks?
Confident on containment within 2 weeks?
Dr. Christopher Kunz@GossiTheDog I will henceforth not do anything differntly and therefore continue not to be a Harrods customer.
Ivor Hewitt@GossiTheDog exactly... They should be talking to the butler.