Co-op Group recruitment looks like it is starting again, first new roles in two weeks posted. https://hcnq.fa.em2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX/jobs
Co-op External Career Section Careers

Find your Co-op job

Co-op External Career Section
Marks and Spencer say food distribution to their stores is returning to normal. It follows Co-op's announcement yesterday that food and drink distribution will begin to return to normal from the weekend. https://www.reuters.com/business/retail-consumer/uks-ms-says-food-availability-improving-every-day-2025-05-15/
27 new jobs at Co-op added today, and it's only midday. So recruitment was definitely paused for two weeks and now active again.

M&S have finally told staff that data about themselves was stolen: https://www.telegraph.co.uk/business/2025/05/16/ms-staff-data-stolen-by-hackers-in-cyber-attack/

You may notice I said they had staff data stolen on May 9th in this thread.

M&S staff data stolen by hackers in cyber attack

Employees’ email addresses and full names have been taken by hackers, sources claim

The Telegraph

For the record, the tools listed in this article aren't used by Co-op.

https://www.computing.co.uk/news/2025/security/five-cyber-tools-co-op-used-to-defeat-ransomware-attack

The link in the article to Vectra Cognito AI has a Coop Sweden logo on it, and the Coop Sweden CISO is named. Coop Sweden is different company. Coop Sweden went on to have a ransomware attack that crippled the org, including point of sale, so I don't think it's a good sales point. Same with Silverfort.

Google AI has ingested the article and now uses it to claim Co-op Group use the tools.

Here are the five cyber tools Co-op used to help defeat its recent ransomware attack

Computing research has identified the security tools and partners the Co-op used to stop last month’s cyberattack in its tracks.

M&S recruitment is still fully stopped, almost a month in. Co-op opened 46 new vacancies today.
Marks and Spencer’s CEO will lose a £1.1m share grant as a result of their cyber incident. https://www.ft.com/content/43531d25-4f7a-4d6e-b809-e85bb8f0033e
M&S chief executive faces £1.1mn pay hit after cyber attack

Stuart Machin’s awards set to shrink after UK retailer’s share price drops following disclosure of sweeping hack

Financial Times

The Times reports M&S were breached through a contractor and that human error is to blame. (Both M&S and Co-op use TCS for their IT Service Desk).

The threat actor went undetected for 52 hours. (I suspect detection was when their ESXi cluster got encrypted).

M&S have told the Times they had no “direct” communication with DragonForce, which is code for they’re using a third party to negotiate - standard practice.

https://www.thetimes.com/uk/technology-uk/article/m-and-s-boss-cyber-attack-7d9hvk6ds

M&S bosses under fire after ‘damaging and embarrassing’ cyberattack

The Times reveals that the hackers penetrated the retailer’s IT systems through a contractor and worked undetected for about 52 hours before the alarm was raised

The Times

M&S looks to be moving to reposition their incident as a third party failure, which I imagine will help redirect some of the blame (they present their financial results during the week to investors): https://www.bbc.co.uk/news/articles/cpqe213vw3po

Both M&S and Co-op outsourced their IT, including their Service Desk (helpdesk), to TCS (Tata) around 2018, as part of cost savings.

M&S hackers believed to have gained access through third party

The retailer has been struggling to get its services back to normal after a cyber-attack in April.

BBC News

There's nothing to suggest TCS itself have a breach btw.

Basically, if you go for the lowest cost helpdesk - you might want to follow the NCSC advice on authenticating password and MFA token resets.

I've put a 3 part deep dive blog series coming out probably next week called Living-Off-The-Company, which is about how teenagers have realised large orgs have outsourced to MSPs who follow the same format of SOP documentation, use of cloud services etc. Orgs have introduced commonality to surf.

The Office of the Privacy Commissioner for Personal Data (PCPD) has confirmed that Marks and Spencer (M&S) Hong Kong has not informed it of a recent customer data leak, nor responded to its enquiries. https://hongkongfp.com/2025/05/19/ms-hong-kong-not-responding-to-privacy-commissioners-office-after-online-customer-data-breach/
M&S Hong Kong not responding to Privacy Commissioner’s Office after online customer data breach

The Office of the Privacy Commissioner for Personal Data says M&S Hong Kong has not informed it of a recent customer data leak, nor responded to its enquiries.

Hong Kong Free Press HKFP

"Cyber analysts and retail executives said the company had been the victim of a ransomware attack, had refused to pay - following government advice - and was working to reinstall all of its computer systems."

Not sure who those analysts are, but since DragonForce haven't released any data and M&S won't comment other than to say they haven't had any "direct" contact with DragonForce, I wouldn't make that assumption.

https://www.reuters.com/business/retail-consumer/ms-slow-recovery-cyberattack-puts-it-risk-lasting-damage-2025-05-19/

There's also a line in the article from an cyber industry person saying "if it can happen to M&S, it can happen to anyone" - it's ridiculous and defeatist given Marks and Spencer haven't shared any technical information about how it happened, other than to tell The Sunday Times it was "human error"

The Air Safety version of cyber industry would be a plane crashing into 14 other planes, and industry air safety people going "Gosh, if that can happen to British Airways it could happen to anybody!"

Tomorrow it’s one month since Marks and Spencer started containment, it’s also their financial results day.

Online ordering still down, all recruitment stopped, Palo-Alto VPNs still offline.

I made this point a few weeks ago, but... outsourcing all your IT, Networks, Service Desk (helpdesk) and operational cybersecurity is a temporary cost saving and basically paints a ticking timebomb on the org, IMHO.
M&S say online ordering will be stopped until sometime in July, and it has taken a £300m hit, far higher than analysts had predicted. https://www.bbc.co.uk/news/articles/c93llkg4n51o
M&S cyber-attack disruption to last until July and cost £300m

Customers have been unable to order online for almost a month due to the cyber-attack.

BBC News
Their CEO has commented they’ve drawn a line under the hack, without recovering, which has a bit of this energy honestly

The NCA has confirmed on the record that the investigation into the M&S and Co-op hack is focused on English teenagers. I could toot the names of the people I think they’ll pick up, but won’t.

https://www.bbc.co.uk/news/articles/ckgnndrgxv3o

M&S and Co-op hacks: Scattered Spider is focus of police investigation

The National Crime Agency tells the BBC how it is trying to find the culprits of the M&S and Co-op hacks.

BBC News
The CEO of M&S has declined to comment if they have paid a ransom. For the record: I’ve heard they have, in secret, via their insurance. https://www.reuters.com/business/retail-consumer/ms-says-cyber-attack-was-result-human-error-declines-comment-ransom-2025-05-21/
Co-op Group announces it's getting rid of paper prices in stores, going to electric displays. Good luck during a ransomware incident 😒

TCS has a security incident running around the M&S breach.

Interestingly the source claims TCS aren't involved in Co-op's IT - which is categorically false, they took over most of it while I worked there, including the helpdesk, and my team (SecOps) after I left.

https://www.ft.com/content/c658645d-289d-49ee-bc1d-241c651516b0

Insurance Insider say Co-op Group have no cyber insurance policy.

It’s got the insurance industry hard as they think they can ambulance chase other orgs with it.

https://www.insuranceinsider.com/article/2eu3sto6ggpzewrryexog/lines-of-business/cyber/m-s-attacks-could-be-the-key-to-winning-new-cyber-business

M&S attacks could be the key to winning new cyber business

While M&S had a cyber policy in place, Co-op and Harrods did not, Insurance Insider revealed.

Insurance Insider
Seven weeks in, Marks and Spencer still have recruitment closed, online orders stopped and no Palo-Alto GlobalProtect VPN.

While Co-op have restored every customer facing system and internal systems like recruitment and remote working, M&S still don't even have recruitment back.

I'm reliably told they paid the ransom, so they'll be target #1 basically forever with other ransomware groups now due to resiliency woes and willingness to pay.

Marks and Spencer's remuneration committee have opted not to dock the CEOs pay as expected and prior reported over the cyber incident, but instead increased it by £2m.
https://www.bbc.co.uk/news/articles/c23mz5eg091o
M&S boss's pay hits £7m before cyber attack chaos

Stuart Machin's money is not affected by the IT disruption but it will be considered for next year's pay.

BBC News
Marks & Spencer is holding walk-in in-store recruitment open days to fill vacant roles while its online hiring system remains offline following its ransomware attack in April. https://www.thegrocer.co.uk/news/mands-stores-staging-walk-in-recruitment-open-days-amid-cyberattack-disruption/705189.article
M&S stores staging walk-in recruitment open days amid cyberattack disruption

M&S suspended online recruitment, along with clothing and home orders, after hackers took control of its systems in a cyberattack in April

The Grocer

This Daily Mail piece about security leaders thinking work-from-home means they will be crippled is horseshit, I'm not linking it.

They've taken a survey about how security people think their businesses couldn't survive ransomware, and linked it to working from home. WFH isn't the problem: business IT and resilience being built on quicksand is the problem.

Co-op say they have largely completed recovery, and have removed the cyber attack banner and statement from their website

https://www.retailgazette.co.uk/blog/2025/06/co-op-cyber-attack/

I think they did a great job. They do call it a "highly sophisticated attack", which, frankly.. isn't true and may come out in open court later if the suspects are ever caught.

6 weeks from containment to "near full" recovery, for statto nerds like me who track this stuff.

Co-op nears ‘complete recovery’ from cyber attack - Retail Gazette

Co-op has said it’s in a “much stronger position” as store deliveries return to normal following its cyber attack.

Retail Gazette

M&S had their ransomware incident communicated via internal email - from the account of a staff member who works for TCS.

The way TCS work is you give them accounts on your AD.

https://www.bbc.co.uk/news/articles/cr58pqjlnjlo

M&S hackers sent abuse and ransom demand directly to CEO

The criminals told the retailer's boss he could make things "fast and easy" if he complied with their demands.

BBC News

Marks and Spencer have started partial online shopping again.

For statto nerds, around 7 weeks from containment to partial recovery

https://www.bbc.co.uk/news/articles/c4gevk2x03go

M&S restarts online orders after cyber attack

The return of online shopping marks a key milestone for the retailer, which has struggling to get services back to normal.

BBC News
M&S still have no recruitment system, two months in.

TCS have told shareholders their systems were not compromised in the hack of M&S.

As an explainer here (not in the article): TCS IT systems weren't compromised. Their helpdesk service (they're AD admins at M&S) was used to gain access to M&S. They manage M&S IT systems.
https://www.reuters.com/business/media-telecom/indias-tcs-says-none-its-systems-were-compromised-ms-hack-2025-06-19/

Latest Marks and Spencer update is pretty crazy.

M&S haven't been able to supply sales data - so the British Retail Consortium (BRC) - used by the UK government as as economic indicator - basically made up figures for M&S and didn't tell people they had done this.

https://www.telegraph.co.uk/business/2025/06/24/retail-lobby-group-accused-of-ms-cyber-cover-up/

Retail lobby group accused of M&S cyber cover-up

British Retail Consortium published ‘made-up’ sales figures following attack on high street giant

The Telegraph
Ultra spicy post claiming to be from UK retailer employee (M&S or Co-op) about their experience with TCS on their security incident. https://www.reddit.com/r/cybersecurity/comments/1ll1l6c/scattered_spider_tcs_blame_avoidance/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button

Marks and Spencer’s CEO says half of their online ordering is still offline after their ransomware incident, they hope to get open in next 4 weeks.

They are also rebuilding internal systems and hope a majority of that will be done by August.

Lesson: mass contain early. M&S didn’t. Co-op did.

https://www.reuters.com/business/retail-consumer/ms-ceo-most-cyberattack-impact-will-be-behind-us-by-august-2025-07-01/

17 and two 19 year old teens picked up over Co-op and M&S hacks, and a 20 year old woman.

Pretend to be surprised.

https://www.bbc.com/news/articles/cwykgrv374eo

Four arrested in connection with M&S and Co-op cyber attacks

Three men and one woman - aged between 17 and 20 - have been arrested in London and the Midlands.

If you ever doubted the link between Scattered Spider(tm) and LAPSUS$ - one of the people arrested today was a key part of the LAPSUS$ attacks a few years ago.
After almost 3 months, Marks and Spencer recruitment system came back online just now. First 4 jobs posted.

. @briankrebs has broken the story that the key member (and teenager) of LAPSUS$ runs Scattered Spider

https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/

Co-op finally admitted the entire membership database was stolen

I had this in the thread months ago, they originally tried to deny it entirely then tried to say ‘some’ data was accessed when they knew it was the whole thing.

https://www.bbc.co.uk/news/articles/cql0ple066po

Co-op boss says sorry to 6.5m people who had data stolen in hack

In her first interview since the attack, Co-op's chief executive said she was "incredibly sorry" to customers.

BBC News

Personally I think Co-op did a really good job getting out of that situation and minimising impact.

I definitely think if you have a LAPSUS$ style advanced persistent teenagers situation, tilt towards open and honest comms as those kids will use secrecy against ya. It’s 2025, it’s okay to say you got hacked, people largely understand. Also, in IR, lawyers are usually stuck in 1980 advice - it’s just advice, they ain’t yo boss.

The people arrested as part of the Co-op and M&S hack investigation have been released on bail.

https://nation.cymru/news/four-people-bailed-after-arrests-over-cyber-attacks-on-ms-co-op-and-harrods/

Previously when this happened with LAPSUS$, they just continued hacking stuff.

Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods

Four young people who were arrested for their suspected involvement in the damaging cyber attacks against Marks & Spencer, the Co-op and Harrods, have been bailed. The arrests on July 10 included a 17-year-old British man from the West Midlands, a 19-year-old Latvian man from the West Midlands, a 19-year-old British man from London, and […]

Nation.Cymru
I understand the people released have not been charged.
M&S still working on system recovery. https://www.bbc.com/news/articles/cewyyjdzql4o
M&S Click & Collect returns 15 weeks after cyber attack

The retailer stopped taking orders on its website and app for clothing on 25 April.

@GossiTheDog When GDPR was being introduced, I got to see *so much* bad advice being given to companies by their lawyers that it made me realise how many lawyers really are making it up in the spot as much as everyone else - and therefore bringing their own biases and misapplied experiences.

@GossiTheDog

It’s 2025, it’s okay to say you got hacked, people largely understand.

Probably the most damning indictment of the entire computing industry that I've seen for a long time.

I don't disagree at all. But this absolutely should not be the case and wouldn't be if we weren't still building core infrastructure around ideas that were known to be bad by the mid 1980s.

@david_chisnall @GossiTheDog It would still happen. It would be different, no question, but logic errors are not solved by infrastructure, neither is the malicious intend.

Companies being hacked is quite close to car accidents. You have many individuals that manage devices that can do potential harm. There is a limited ability to enforce all rules to all individuals without breaking necessary loopholes in the system to work.

We do live with car accidents and we learn from them. It's all human.

@sheogorath @david_chisnall @GossiTheDog

When I'm driving I'm extremely careful because a crash can have life changing consequences for the people involved and the law rightly takes it seriously. I think we need to start treating cyber security the same way.

I'm not sure developers and companies always appreciate the scale of harm when things go wrong. Thousands of people work on car design to ensure safety. The fact that people can survive a 70mph crash is astonishing. Maybe it's time we ensure engineering principles are at the heart of software development outside of university.

@tigerhiddenadam @david_chisnall @GossiTheDog Agreed, but we also have to keep in mind that software development has this strict oversight e.g. in the car industry. IT is a helper technology. The same way not all bolds need to withstand forces of a space ship liftoff, not all IT has to withstand the most targeted attacks.

Should we improve it? Yes. Does this already happen? In some parts.

My point here: maybe we have to look at relevant industries and processes rather than IT on its own ;)

@sheogorath @tigerhiddenadam @GossiTheDog

Imagine I write a privilege separated application, where one process talks to the network but has no access to secrets and all of the others are bug free (ignore that this bit is probably impossible).

There is not one single mainstream operating system that I can point to and say: if the networked process is compromised then secrets will not be leaked. seL4 is able to make this guarantee (except for hardware side channels) but has a programmer model that makes it impossible to build large systems on it with useful security properties.

I consider that to be an IT industry problem. You can't do engineering of systems if you can't depend on any of your components.

@sheogorath @tigerhiddenadam @david_chisnall @GossiTheDog the main problems with this are that
- cars mostly need to withstand random events (acts of nature, stupid humans) while internet-exposed software needs to withstand clever adversaries.
- we have no particular separation between software that is "internet-certified" and not, nor do we separate developers into such classes.
- we have near-term cost pressures to cut corners; to use unsafe languages, to write unsafe code, "for performance".
@sheogorath @david_chisnall @GossiTheDog not sure I like this analogy, living in the US. We *don't* learn from car crashes here. Drivers and their organizations tend to resist safety measures (lowered speeds, road diets). People seek safety by driving ever-larger cars, the better to kill the other guy. Trucking industries resist safety standards required in other countries (overrun side guards). And "since we're bad at it, maybe do less of it" is regarded as crazy talk.
@GossiTheDog As consumers by now we know getting hacked is a probability. We just want to be told honestly with timely updates.
×
Seven weeks in, Marks and Spencer still have recruitment closed, online orders stopped and no Palo-Alto GlobalProtect VPN.

While Co-op have restored every customer facing system and internal systems like recruitment and remote working, M&S still don't even have recruitment back.

I'm reliably told they paid the ransom, so they'll be target #1 basically forever with other ransomware groups now due to resiliency woes and willingness to pay.

Marks and Spencer's remuneration committee have opted not to dock the CEOs pay as expected and prior reported over the cyber incident, but instead increased it by £2m.
https://www.bbc.co.uk/news/articles/c23mz5eg091o
M&S boss's pay hits £7m before cyber attack chaos

Stuart Machin's money is not affected by the IT disruption but it will be considered for next year's pay.

BBC News
Marks & Spencer is holding walk-in in-store recruitment open days to fill vacant roles while its online hiring system remains offline following its ransomware attack in April. https://www.thegrocer.co.uk/news/mands-stores-staging-walk-in-recruitment-open-days-amid-cyberattack-disruption/705189.article
M&S stores staging walk-in recruitment open days amid cyberattack disruption

M&S suspended online recruitment, along with clothing and home orders, after hackers took control of its systems in a cyberattack in April

The Grocer

This Daily Mail piece about security leaders thinking work-from-home means they will be crippled is horseshit, I'm not linking it.

They've taken a survey about how security people think their businesses couldn't survive ransomware, and linked it to working from home. WFH isn't the problem: business IT and resilience being built on quicksand is the problem.

Co-op say they have largely completed recovery, and have removed the cyber attack banner and statement from their website

https://www.retailgazette.co.uk/blog/2025/06/co-op-cyber-attack/

I think they did a great job. They do call it a "highly sophisticated attack", which, frankly.. isn't true and may come out in open court later if the suspects are ever caught.

6 weeks from containment to "near full" recovery, for statto nerds like me who track this stuff.

Co-op nears ‘complete recovery’ from cyber attack - Retail Gazette

Co-op has said it’s in a “much stronger position” as store deliveries return to normal following its cyber attack.

Retail Gazette

M&S had their ransomware incident communicated via internal email - from the account of a staff member who works for TCS.

The way TCS work is you give them accounts on your AD.

https://www.bbc.co.uk/news/articles/cr58pqjlnjlo

M&S hackers sent abuse and ransom demand directly to CEO

The criminals told the retailer's boss he could make things "fast and easy" if he complied with their demands.

BBC News

Marks and Spencer have started partial online shopping again.

For statto nerds, around 7 weeks from containment to partial recovery

https://www.bbc.co.uk/news/articles/c4gevk2x03go

M&S restarts online orders after cyber attack

The return of online shopping marks a key milestone for the retailer, which has struggling to get services back to normal.

BBC News
M&S still have no recruitment system, two months in.

TCS have told shareholders their systems were not compromised in the hack of M&S.

As an explainer here (not in the article): TCS IT systems weren't compromised. Their helpdesk service (they're AD admins at M&S) was used to gain access to M&S. They manage M&S IT systems.
https://www.reuters.com/business/media-telecom/indias-tcs-says-none-its-systems-were-compromised-ms-hack-2025-06-19/

Latest Marks and Spencer update is pretty crazy.

M&S haven't been able to supply sales data - so the British Retail Consortium (BRC) - used by the UK government as as economic indicator - basically made up figures for M&S and didn't tell people they had done this.

https://www.telegraph.co.uk/business/2025/06/24/retail-lobby-group-accused-of-ms-cyber-cover-up/

Retail lobby group accused of M&S cyber cover-up

British Retail Consortium published ‘made-up’ sales figures following attack on high street giant

The Telegraph
Ultra spicy post claiming to be from UK retailer employee (M&S or Co-op) about their experience with TCS on their security incident. https://www.reddit.com/r/cybersecurity/comments/1ll1l6c/scattered_spider_tcs_blame_avoidance/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button
@GossiTheDog this doesn't surprise me, in india TCS is seen as a spring board job. You join to gain experience. Stay for a few months maybe a year or two(if you're really desperate). grit your teeth deal with a horrible boss and then move to a better paying job. They have pretty high turnovers so training new staff is probably super low on the priority.

@GossiTheDog I'd be very curious to know what the breakdown is between TCS dropping the ball and lying about it and M&S/Co-op not actually insisting on adequate procedure.

It's not terribly uncommon for people to only care about time-to-resolution with some lip service to user satisfaction when it comes to helpdesk metrics; and tacitly discourage things that are slow and unpleasant like hassling people for ID, at least until that becomes a visibly terrible idea.

@GossiTheDog fun that this is the same TCS who are working on the DWP Child Maintenance Scheme and run the Teachers Pension Scheme for the DfE.
@RichBartlett @GossiTheDog TCS has not yet taken over TPS ops, another year+ before Capita is gone
@GossiTheDog To be fair, according to the article it was BRC who told its members about the made up first. Though we may argue it was a bit late.

@GossiTheDog In other words, their wetware was targeted.

"Our staff is our most valued asset. We depreciate on it."

@GossiTheDog so their systems were not compromised, but their employees’ creds into the M&S environment were?
@GossiTheDog it's the classic case of telling the literal truth in a way that implies something entirely false.

@GossiTheDog The term 'user' in "no TCS systems or users compromised" could be more interesting to argue on in a civil liabilities case.

If a TCS staff member falls for social engineering (even if the action they take is within an assigned M&S tenant account...), is that not the same as a TCS user being compromised?

Anyway... I'm sure that statement won't at all be like rubbing salt in M&S's wounds.

@GossiTheDog could it be that they are unable to recruit anybody to help fix the recruitment system, asking for an unemployed recruitment portal technician....
@GossiTheDog Still didn’t have any Percy Pigs at the last store I checked either. Staff told me they don’t know what they’re going to receive one delivery to the next.
@pete @GossiTheDog isn't that just situation normal (the delivery bit, not the Percy Pigs)?
@GossiTheDog That counts as "taking a heavy hit".
@GossiTheDog I'm sure the logic of 'work from home' being an existential threat while extensive exposure to outsourced managed services is just good sense must only baffle me because I'm not the sort of person who deserves a bonus that brings me up to £7 million for the year; not because it's questionable.
@fuzzyfuzzyfungus @GossiTheDog 💯 thanks for posting that. Saved me some typing 😀
@GossiTheDog that's really impressive. and have they confirmed no ransom paid?
@GossiTheDog can confirm my local co-op's shelves are mostly full now - and they have earl grey tea, which was the only thing I really missed!
@GossiTheDog I think they could reasonably argue that the common use of the term “sophisticated” when applied to attacks, is merely used to refer to an attack that succeeded.
@GossiTheDog the daily mail publishing click bait headlines with sensationalist takes that fit the narrative the rich and powerful want to push? Who could have predicted that ahead of time?
@GossiTheDog
Sounds like their companies rely on a hard outer shell and a squishy inside defense and nearly no layers of security.
@GossiTheDog anything to discredit wfh!
@GossiTheDog bankers are so afraid of WFH destroying the commercial real estate market, they'll pay for all kinds of bogus studies and make sure they get published and repeated far and wide to attempt to stop the wave of progress and modernization that is WFH. WFH is better for EVERYONE except the bankers who own your office. Fuck them. Fuck companies that capitulate to bankers and enact RTO policies to get preferential lending rates. Stay home

@GossiTheDog Looks like a product of the "a good lie contains as much truth as possible" school.

The connection to WFH is spurious; but only two thirds sounds low for "We don't really understand our problems; but they are probably apocalyptic".

@GossiTheDog only two thirds of security leaders think that if they got successfully ransomwared that it could 'cripple' their business? I guess some people are just really confident in their incident response.

@GossiTheDog The 'WFH' allegations seem in especially bad faith given the suspected entry point for the M&S compromise: the outsourced helpdesk.

Those guys are even more compliant labor than work-not-from-home employees, so the Daily Heil isn't going to say anything; but lack even the (informal; but in practice often at least reasonably effective) "does the IT person you just poked recognize who is interrupting with a password question?" ID verification step with onsite workers and onsite IT.

@fuzzyfuzzyfungus @GossiTheDog Indeed, the way many organizations get got is through poorly secured third-party service providers. Not employees doing WFH.
@GossiTheDog Just about everything Daily Mail publishes is horseshit.
@GossiTheDog I could draft an opposing headline about how ransomware and cyber threats will naturally proliferate faster and more easily within a physical network than it will in a distributed environment.
It wouldn't be the whole story either, but it's just as true.

@ftp_alun @GossiTheDog There are also the organizations where basically everyone is 'remote' relative to the cloud stuff that is what actually matters and will either be fine or irrecoverably paved depending on how you configured it and whether or not the AWS/Azure admin creds got compromised.

Endpoints are high hassle per unit change; and nobody staffs IT such that they can replace or reimage them all at once; but unless it's really the dark ages just swapping or paving is usually fine.

@GossiTheDog its always so funny bc with current technology there could be really no difference someone break in and use workplace vs break in and use home work station (some could even say properly deployed WFH setups could be even more protected than onsite devices where no one really cares) ^^
@GossiTheDog dammit I read WFH as Waffle House in my head and now I can’t stop
@GossiTheDog The Daily Mail is pretty much horse 💩 from cover to cover. As a sketch song about newspapers by comedian Rory Bremner years ago said, "Why don't they print it all in brown? That's the colour crap is!"

@GossiTheDog wasn't there some event, maybe 5 years ago, that meant a lot of WFH? Or did I hallucinate those times.

Is it suddenly a problem now or this is the same RTO bullshit being peddled?

@GossiTheDog I WFH 100% of the time. I never connect to an office "network". The only way I could spread any form of malicious payload to my colleagues is through shared communications platforms which not only requires ME to fuck up so that my account is used to send that payload to others, but it then requires the recipients to ALSO screw up and make mistakes like open dodgy links or attachments. WFH provises an additional buffer to protect an organisation, in my opinion.
@GossiTheDog Nice job if you can get it
@GossiTheDog Incredible. I'm sure the blame will be passed on to some lowly IT personnel and the leadership will take none of it. Leadership loves taking credit for profits but when it comes to losses, that's not on them.

@GossiTheDog

Marks and Spencer abandoned my city to take themselves out in the sticks where the only way to get to them from here, is by car, so I have abandoned Marks and Spencer's, they have nothing really original anyway.

@GossiTheDog The greatest lie Office Space ever told is that "What would you say you do here?" is primarily a question to be asked down rather than up.
@GossiTheDog I guess, compared to that, paying the ransom was just peanuts, yes?
@bontchev @GossiTheDog haha pay the CEO eye-watering amounts so that if you get ransomed it's cheap😂
@GossiTheDog CISO is an ablative role
@GossiTheDog we/they/someone/anyone *really* need to think very hard about how to properly redo absolutely secure internet facing IT systems.
@GossiTheDog guess they're going to need to fully embrace "it's *when* you get hacked not *if* you get hacked."
@GossiTheDog If they paid it did them precisely no good and put an even bigger target on their back. Stupid decision that will see their premiums go up massively.
DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers

Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network

Sophos News
@GossiTheDog The sla got reset because the helpdesk marked the ticket closed, reopen if the problem persists.