There’s a very interesting analysis of the cyber attacks on Marks & Spencer, the Co-op and Harrods on the BBC this week. If you have access to their iPlayer, then it’s well worth a watch:
https://www.bbc.co.uk/iplayer/episode/m002d2lh/inside-the-high-street-cyberattacks
If you don’t, then here’s the summary as it illustrates our fragile digital world today.
In April, Marks & Spencer’s systems were taken over by hackers. The result was that no online and digital orders could be taken but, more importantly, they could not make orders with their suppliers resulting in empty shelves in the shops.
A few days later the same happened with the Co-operative Group, Co-op for short; and then, a few days more, Harrods, the luxury London store.
What was going on?
Well, it turns out that an underground movement of likely teenagers who call themselves Dragonforce had hacked into a major provider of retail digital services technology and broken their system.
By breaking into their system, they could access all the details of their customers. Basically, a man-in-the-middle attack if you will but, in this case, the a man-in-the-middle is a provider of cloud-based services to retailers.
That’s the theory anyway.
How they did it is the question and, the view is that it was through social engineering. Like APP (Authorised Push Payments), you send a message pretending to be the boss – in this case pretending to be from the service provider – and asking for details to approve a transaction on the system or to reconfirm your identity on their system. The employee clicks and BANG!, the hackers have access.
After that, the demand for $5 million in bitcoin appears. Most corporate types have no idea what bitcoin is, let alone how to make a payment in bitcoin, but that’s no problem. The hackers with the ransomware have a victim support centre, or a VSC is you prefer. Contacting the VSC explains how to create a bitcoin wallet, how to transfer funds to the wallet and how to pay out those funds from the wallet to another one. Things are changing folks!
Add onto this the double tap. First, you demand bitcoin payment to give the system back; then, you demand a second payment to assure the customer data is secured or, if not, your customer details – names, date of birth, addresses and more – will be released into the wild.
It’s pretty sophisticated stuff and we’ve seen it before from the Wannacry attack on the NHS in 2017 to the Scattered Spider attack on Vegas casinos in 2023.
Interestingly, most businesses payout as well. The BBC report notes that 82% of companies pay the ransom as it’s either that or rebuild systems from scratch which is even more costly. The Home Office also notes that more than half of UK’s large businesses experienced these cyberattacks in 2024, and it’s just going to increase.
It’s going to increase because these things work and, if you get caught, well … it ain’t so bad. In the UK, there are tiers of possible jail time but, bearing in mind the jails are full, you’ll probably only serve half the time. Those tiers?
Level 1: Unauthorized access to computer material, up to two years in prison.
Level 2: Unauthorized access with the intent to commit or facilitate further offenses, up to five years in prison.
Level 3: Unauthorized acts with intent to impair the operation of a computer, or with recklessness as to impairing it, up to ten years in prison.
Level 4 (Serious Damage): Unauthorized acts causing, or creating a risk of, serious damage, potentially up to life imprisonment.
So, you have the opportunity of making more than $10 million with a high probability you won’t be caught and, if you are, a high probability you will only serve a year or two? What have you got to lose?