On Tuesday, April 22, Marks & Spencer, the venerable English institution, confirmed it was experiencing a cyberattack that disrupted contactless payments and online ordering. The current tally by the Financial Times estimates that Marks & Spencer may have lost a billion pounds between lost sales and stock value. In an update from the FT on May 27th, 2025, it has been made clear that this attack was initiated through social engineering an employee of the IT help desk.
M&S revealed last week that cyber criminals accessed its systems using social engineering tactics via a third-party supplier, which typically means duping IT staff into changing passwords or resetting authentication processes. (Financial Times, May 27th, 2025)
These types of attacks are increasing in frequency and severity. And they are almost always successful. MGM, now M&S, Harrod's and Co-op. A major factor in these attacks, and one that most companies aren't prepared for, is the Human Factor. Using Vishing, deepfakes, pretexting and other techniques to convince employees to grant them access.
Not to say I Told You So, but I've been shouting from the rooftops about this for a while now.
The attack on the British retailer is believed to have been orchestrated by Scattered Spider, a loosely affiliated network of threat actors notorious for their social engineering skills. According to reporting from Bleeping Computer.
The attack escalated on April 24, when the DragonForce encryptor was deployed across M&S's VMware ESXi infrastructure, freezing virtual machines and bringing parts of the operation to a halt. Even today, the ripple effects continue.
Unlike groups often responsible for cyber crimes in the past… their hallmark is staging ransomware attacks based on manipulating human beings as much as systems, using hard-to-counter social engineering techniques. These range from impersonating or intimidating key employees and persuading IT desks to reset passwords, to "SIM swapping" or taking control of a phone, including by conning mobile operators, to intercept verification codes. AI threatens to magnify their capabilities. (Financial Times, May 27th, 2025)
Scattered Spider is not a conventional ransomware crew. In fact, it’s not a crew at all, but a label applied to a set of tactics such as SIM swapping, phishing, multi-factor authentication fatigue, and impersonation of IT help desks. These are used by dispersed English-speaking attackers coordinating via Telegram and Discord. Their methods rely not just on technical exploits, but on psychological manipulation. They know who to impersonate, when to strike, and how to exploit the human element of corporate infrastructure. They’ve taken down casinos, stolen millions, and now disrupted one of Britain’s most iconic brands.
M&S reportedly brought in CrowdStrike, Microsoft, and Fenix24 to investigate and recover. The damage is still being tallied, but the implications are already clear. This incident was not simply a technical failure. It was a failure to contain the implicit trust embedded in the way large organizations operate. The attack did not hinge on advanced malware or zero-day exploits. It succeeded because a series of impersonations and assumptions were allowed to stand unchallenged.
The breach began with access to the NTDS.dit file. That file, once in the hands of attackers, provided a blueprint for lateral movement. But this access should not have been so easy to exploit. Storing credential data in static, accessible formats creates durable opportunities for exploitation. Without safeguards that question and verify who is accessing what, and why, such compromises become inevitable.
The breach was enabled by the absence of defensive friction.
In most serious incidents, intrusion unfolds quietly. There are no immediate indicators, just a series of routine interactions that slip through undetected. Attackers often succeed not by breaching defenses directly, but by blending into the expected flow of communication and behaviour, walking through systems one interaction at a time with nothing more than a convincing pretext.
In the case of M&S, the infrastructure that failed was virtual, but the breach was enabled by the absence of defensive friction. Approvals were assumed to be legitimate. Identities were accepted at face value. Critical systems operated without protective boundaries that questioned intent. That is what made the breach so effective, and why recovery will take time.
Modern security architecture needs to reduce exposure to long-lived data.
The broader lesson is this: no amount of system hardening can protect an organization if the human layer remains exposed. When credentials, approvals, and instructions can be faked or replayed, attackers don’t need to find technical exploits; they simply exploit the people. What’s needed are tools specifically designed to handle that human risk: identity verification built into communication workflows, approvals that can’t be spoofed, messaging channels that expire and can’t be forwarded or reused. These measures shift the burden away from employees having to spot the threat and toward systems that deny impersonation by design. (All of which, for full transparency, are capabilities our platform, Traceless, provides.)
Modern security architecture needs to reduce exposure to long-lived data, tightly control how identity is proven, and enforce expiration on sensitive assets. Ephemeral communication, verified identity workflows, and data that self-destructs after use. These are not theoretical concepts. They are practical responses to a threat landscape where psychological manipulation is just as dangerous as code.
The attack on Marks & Spencer is not unique. It follows a well-worn pattern seen in dozens of high-profile breaches. What changes, if anything, is how organizations choose to respond. Whether they will continue to rely on instinct and recognition, or whether they will shift to systems that assume the worst and verify everything.
Until that shift happens, we will keep writing versions of this same story.
—Gene
UPDATE: It looks like GCHQ's National Cyber Security Centre has released a statement offering guidance to companies. All solid suggestions, but still lacking from my perspective. Help Desk Attacks, human manipulation, deepfake phone and video calls, will all continue to grow in number and severity. Every company needs the tools to combat them - ephemeral messaging, identity verification that's built into workflows, etc. (Again, all of which Traceless does).
Want to see Traceless in action? Book a Demo HERE