Loading replies...
×
Show threadKevin BeaumontMay 23

TCS has a security incident running around the M&S breach.

Interestingly the source claims TCS aren't involved in Co-op's IT - which is categorically false, they took over most of it while I worked there, including the helpdesk, and my team (SecOps) after I left.

https://www.ft.com/content/c658645d-289d-49ee-bc1d-241c651516b0

Show threadKevin BeaumontMay 24

Insurance Insider say Co-op Group have no cyber insurance policy.

It’s got the insurance industry hard as they think they can ambulance chase other orgs with it.

https://www.insuranceinsider.com/article/2eu3sto6ggpzewrryexog/lines-of-business/cyber/m-s-attacks-could-be-the-key-to-winning-new-cyber-business

M&S attacks could be the key to winning new cyber business

While M&S had a cyber policy in place, Co-op and Harrods did not, Insurance Insider revealed.

Insurance Insider
Show threadKevin BeaumontMay 28
Seven weeks in, Marks and Spencer still have recruitment closed, online orders stopped and no Palo-Alto GlobalProtect VPN.
Show threadKevin BeaumontMay 31

While Co-op have restored every customer facing system and internal systems like recruitment and remote working, M&S still don't even have recruitment back.

I'm reliably told they paid the ransom, so they'll be target #1 basically forever with other ransomware groups now due to resiliency woes and willingness to pay.

Show threadKevin BeaumontJun 2
Marks and Spencer's remuneration committee have opted not to dock the CEOs pay as expected and prior reported over the cyber incident, but instead increased it by £2m.
https://www.bbc.co.uk/news/articles/c23mz5eg091o
M&S boss's pay hits £7m before cyber attack chaos

Stuart Machin's money is not affected by the IT disruption but it will be considered for next year's pay.

BBC News
Show threadKevin BeaumontJun 3
Marks & Spencer is holding walk-in in-store recruitment open days to fill vacant roles while its online hiring system remains offline following its ransomware attack in April. https://www.thegrocer.co.uk/news/mands-stores-staging-walk-in-recruitment-open-days-amid-cyberattack-disruption/705189.article
M&S stores staging walk-in recruitment open days amid cyberattack disruption

M&S suspended online recruitment, along with clothing and home orders, after hackers took control of its systems in a cyberattack in April

The Grocer
Show threadKevin BeaumontJun 3

This Daily Mail piece about security leaders thinking work-from-home means they will be crippled is horseshit, I'm not linking it.

They've taken a survey about how security people think their businesses couldn't survive ransomware, and linked it to working from home. WFH isn't the problem: business IT and resilience being built on quicksand is the problem.

Show threadKevin BeaumontJun 5

Co-op say they have largely completed recovery, and have removed the cyber attack banner and statement from their website

https://www.retailgazette.co.uk/blog/2025/06/co-op-cyber-attack/

I think they did a great job. They do call it a "highly sophisticated attack", which, frankly.. isn't true and may come out in open court later if the suspects are ever caught.

6 weeks from containment to "near full" recovery, for statto nerds like me who track this stuff.

Co-op nears ‘complete recovery’ from cyber attack - Retail Gazette

Co-op has said it’s in a “much stronger position” as store deliveries return to normal following its cyber attack.

Retail Gazette
Show threadKevin BeaumontJun 6

M&S had their ransomware incident communicated via internal email - from the account of a staff member who works for TCS.

The way TCS work is you give them accounts on your AD.

https://www.bbc.co.uk/news/articles/cr58pqjlnjlo

M&S hackers sent abuse and ransom demand directly to CEO

The criminals told the retailer's boss he could make things "fast and easy" if he complied with their demands.

BBC News
Show threadKevin BeaumontJun 10

Marks and Spencer have started partial online shopping again.

For statto nerds, around 7 weeks from containment to partial recovery

https://www.bbc.co.uk/news/articles/c4gevk2x03go

M&S restarts online orders after cyber attack

The return of online shopping marks a key milestone for the retailer, which has struggling to get services back to normal.

BBC News
Show threadKevin BeaumontJun 20
M&S still have no recruitment system, two months in.
Show threadKevin BeaumontJun 21

TCS have told shareholders their systems were not compromised in the hack of M&S.

As an explainer here (not in the article): TCS IT systems weren't compromised. Their helpdesk service (they're AD admins at M&S) was used to gain access to M&S. They manage M&S IT systems.
https://www.reuters.com/business/media-telecom/indias-tcs-says-none-its-systems-were-compromised-ms-hack-2025-06-19/

Show threadKevin BeaumontJun 24

Latest Marks and Spencer update is pretty crazy.

M&S haven't been able to supply sales data - so the British Retail Consortium (BRC) - used by the UK government as as economic indicator - basically made up figures for M&S and didn't tell people they had done this.

https://www.telegraph.co.uk/business/2025/06/24/retail-lobby-group-accused-of-ms-cyber-cover-up/

Retail lobby group accused of M&S cyber cover-up

British Retail Consortium published ‘made-up’ sales figures following attack on high street giant

The Telegraph
Show threadKevin BeaumontJun 27
Ultra spicy post claiming to be from UK retailer employee (M&S or Co-op) about their experience with TCS on their security incident. https://www.reddit.com/r/cybersecurity/comments/1ll1l6c/scattered_spider_tcs_blame_avoidance/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button
Show threadEstiqaatsiJun 27
@GossiTheDog
Show threadLuna D DragonJun 27
@GossiTheDog this doesn't surprise me, in india TCS is seen as a spring board job. You join to gain experience. Stay for a few months maybe a year or two(if you're really desperate). grit your teeth deal with a horrible boss and then move to a better paying job. They have pretty high turnovers so training new staff is probably super low on the priority.
Show threadAndy LiJun 24
@GossiTheDog To be fair, according to the article it was BRC who told its members about the made up first. Though we may argue it was a bit late.
Show threadBert DriehuisJun 21

@GossiTheDog In other words, their wetware was targeted.

"Our staff is our most valued asset. We depreciate on it."

Show threadAdrian SanabriaJun 21
@GossiTheDog so their systems were not compromised, but their employees’ creds into the M&S environment were?
Show threadMichael WeissJun 22
@GossiTheDog it's the classic case of telling the literal truth in a way that implies something entirely false.
Show threadDave 🐶Jun 22

@GossiTheDog The term 'user' in "no TCS systems or users compromised" could be more interesting to argue on in a civil liabilities case.

If a TCS staff member falls for social engineering (even if the action they take is within an assigned M&S tenant account...), is that not the same as a TCS user being compromised?

Anyway... I'm sure that statement won't at all be like rubbing salt in M&S's wounds.

Show threadCryptoMooseJun 20
@GossiTheDog could it be that they are unable to recruit anybody to help fix the recruitment system, asking for an unemployed recruitment portal technician....
Show threadPeteJun 20
@GossiTheDog Still didn’t have any Percy Pigs at the last store I checked either. Staff told me they don’t know what they’re going to receive one delivery to the next.
Show threadDamienJun 20
@pete @GossiTheDog isn't that just situation normal (the delivery bit, not the Percy Pigs)?
Show threadMartin SeegerJun 10
@GossiTheDog That counts as "taking a heavy hit".
Show threadfuzzyfuzzyfungusJun 6
@GossiTheDog I'm sure the logic of 'work from home' being an existential threat while extensive exposure to outsourced managed services is just good sense must only baffle me because I'm not the sort of person who deserves a bonus that brings me up to £7 million for the year; not because it's questionable.
Show threadAndy LongshawJun 6
@fuzzyfuzzyfungus @GossiTheDog 💯 thanks for posting that. Saved me some typing 😀
Show threadSimon BJun 5
@GossiTheDog that's really impressive. and have they confirmed no ransom paid?
Show threadJasperJun 5
@GossiTheDog can confirm my local co-op's shelves are mostly full now - and they have earl grey tea, which was the only thing I really missed!
Show threadgwireJun 5
@GossiTheDog I think they could reasonably argue that the common use of the term “sophisticated” when applied to attacks, is merely used to refer to an attack that succeeded.
Show threadCraig StewartJun 3
@GossiTheDog the daily mail publishing click bait headlines with sensationalist takes that fit the narrative the rich and powerful want to push? Who could have predicted that ahead of time?
Show threadSecureWaffle🧇Jun 3
@GossiTheDog
Sounds like their companies rely on a hard outer shell and a squishy inside defense and nearly no layers of security.
Show threadpiofthingsJun 3
@GossiTheDog anything to discredit wfh!
Show threadBebadefaboJun 3
@GossiTheDog bankers are so afraid of WFH destroying the commercial real estate market, they'll pay for all kinds of bogus studies and make sure they get published and repeated far and wide to attempt to stop the wave of progress and modernization that is WFH. WFH is better for EVERYONE except the bankers who own your office. Fuck them. Fuck companies that capitulate to bankers and enact RTO policies to get preferential lending rates. Stay home
Show threadfuzzyfuzzyfungusJun 3

@GossiTheDog Looks like a product of the "a good lie contains as much truth as possible" school.

The connection to WFH is spurious; but only two thirds sounds low for "We don't really understand our problems; but they are probably apocalyptic".

Show threadEdJun 3
@GossiTheDog only two thirds of security leaders think that if they got successfully ransomwared that it could 'cripple' their business? I guess some people are just really confident in their incident response.
Show threadfuzzyfuzzyfungusJun 3

@GossiTheDog The 'WFH' allegations seem in especially bad faith given the suspected entry point for the M&S compromise: the outsourced helpdesk.

Those guys are even more compliant labor than work-not-from-home employees, so the Daily Heil isn't going to say anything; but lack even the (informal; but in practice often at least reasonably effective) "does the IT person you just poked recognize who is interrupting with a password question?" ID verification step with onsite workers and onsite IT.

Show threadMisuse CaseJun 5
@fuzzyfuzzyfungus @GossiTheDog Indeed, the way many organizations get got is through poorly secured third-party service providers. Not employees doing WFH.
Show threadVessOnSecurityJun 3
@GossiTheDog Just about everything Daily Mail publishes is horseshit.
Show threadAlun JonesJun 3
@GossiTheDog I could draft an opposing headline about how ransomware and cyber threats will naturally proliferate faster and more easily within a physical network than it will in a distributed environment.
It wouldn't be the whole story either, but it's just as true.
Show threadfuzzyfuzzyfungusJun 3

@ftp_alun @GossiTheDog There are also the organizations where basically everyone is 'remote' relative to the cloud stuff that is what actually matters and will either be fine or irrecoverably paved depending on how you configured it and whether or not the AWS/Azure admin creds got compromised.

Endpoints are high hassle per unit change; and nobody staffs IT such that they can replace or reimage them all at once; but unless it's really the dark ages just swapping or paving is usually fine.

Show threaddrathirJun 3
@GossiTheDog its always so funny bc with current technology there could be really no difference someone break in and use workplace vs break in and use home work station (some could even say properly deployed WFH setups could be even more protected than onsite devices where no one really cares) ^^
Show threadMichael GrahamJun 3
@GossiTheDog dammit I read WFH as Waffle House in my head and now I can’t stop
Show threadJamie DowlingJun 3
@GossiTheDog The Daily Mail is pretty much horse 💩 from cover to cover. As a sketch song about newspapers by comedian Rory Bremner years ago said, "Why don't they print it all in brown? That's the colour crap is!"
Show threadlfzzJun 3

@GossiTheDog wasn't there some event, maybe 5 years ago, that meant a lot of WFH? Or did I hallucinate those times.

Is it suddenly a problem now or this is the same RTO bullshit being peddled?

Show threadPino CarafaJun 3
@GossiTheDog I WFH 100% of the time. I never connect to an office "network". The only way I could spread any form of malicious payload to my colleagues is through shared communications platforms which not only requires ME to fuck up so that my account is used to send that payload to others, but it then requires the recipients to ALSO screw up and make mistakes like open dodgy links or attachments. WFH provises an additional buffer to protect an organisation, in my opinion.
Show threadMartin Vermeer FCDJun 2
@GossiTheDog Nice job if you can get it
Show threadDylan </closingtags.com>Jun 2
@GossiTheDog Incredible. I'm sure the blame will be passed on to some lowly IT personnel and the leadership will take none of it. Leadership loves taking credit for profits but when it comes to losses, that's not on them.
Show threadMerry ChristmasJun 2

@GossiTheDog

Marks and Spencer abandoned my city to take themselves out in the sticks where the only way to get to them from here, is by car, so I have abandoned Marks and Spencer's, they have nothing really original anyway.

Show threadfuzzyfuzzyfungusJun 2
@GossiTheDog The greatest lie Office Space ever told is that "What would you say you do here?" is primarily a question to be asked down rather than up.
Show threadVessOnSecurityJun 2
@GossiTheDog I guess, compared to that, paying the ransom was just peanuts, yes?
Show threadAnneHJun 2
@bontchev @GossiTheDog haha pay the CEO eye-watering amounts so that if you get ransomed it's cheap😂
Show threadsigi714Jun 2
@GossiTheDog RaaCEOS
Show threadJoel MichaelJun 2
@GossiTheDog CISO is an ablative role
Show threadOtte Homan - remember GeordieMay 31
@GossiTheDog we/they/someone/anyone *really* need to think very hard about how to properly redo absolutely secure internet facing IT systems.
Show threadAlan Miller  🇺🇦May 31
@GossiTheDog guess they're going to need to fully embrace "it's *when* you get hacked not *if* you get hacked."
Show threadgroff 🇺🇦May 31
@GossiTheDog If they paid it did them precisely no good and put an even bigger target on their back. Stupid decision that will see their premiums go up massively.
Show threadcybernerdMay 28
@GossiTheDog any indication that the Sophos report here: https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/ is linked to TCS?
DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers

Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network

Sophos News
Show threadJPMay 28
@GossiTheDog The sla got reset because the helpdesk marked the ticket closed, reopen if the problem persists.
Show threadAnneHMay 24
@GossiTheDog That is really surprising. I wonder why they didn't?
Show threadDave 🐶May 23
@GossiTheDog TCS will find a low-level engineer/analyst and their manager to fire. Say they've dealt with it and it'll never happen again.