The M&S attack….could we have helped?

If, like me, you have no affiliation to a particular supermarket or retail outlet, then in April this year you would have experienced a double whammy of empty shelves and panic. First it was M&S staff warning me at the door that I couldn’t shop with my card because of a ‘cyber incident’. Then, when I popped down the road to the Co-op instead, the cupboard was equally bare. Nervous staff informed me that they too had been hacked some weeks earlier, hence the dwindling stock.

The first we really got to know about the M&S scenario was over the Easter weekend of 2025 when it was announced that measures were being put in place to ‘protect shoppers and the business’. It later transpired that customer personal data had been compromised as part of an orchestrated ransomware cyber-attack.

The attacks on M&S and the Co-op have far-reaching implications. Apart from the empty shelves, suspension of online trading and staff being denied access to corporate systems, M&S alone is likely to take a £350m hit. But it’s not just the financial fallout. The impact on trust and reputation is arguably more damaging. For companies that have built loyalty schemes through data there is now real concern and nervousness among the erstwhile M&S faithful that their private information could be in the hands of the hackers.

So why were the likes of M&S and the Co-op targeted? Probably because they are household names with significant turnover and prominence. However, they were not the only retailers targeted that week. The fact that they suffered the brunt of a wider cyber-attack was because, put simply, they were vulnerable.

Whatever M&S had in place to thwart the hackers, it clearly wasn’t enough and realistically it could never be. That’s because the whole threat landscape is ever- changing and dynamic. You only need to witness the beginnings of the AI revolution to understand how quickly the digital world moves on and with it the increasing number of malicious vectors that keep the CISOs awake at night.

If you visit our website and read our blogs you will know that we unashamedly claim to be experts in combatting the insider threat. Indeed, we were one of the first security companies to concentrate on the ‘internal threat’ rather than the perimeter and have an unbeatable toolkit to audit, mitigate and prevent unintended or malicious behaviour in real time. So, because M&S had allegedly been hit by external forces, it was suggested to me that we could have done nothing to help them avoid their ransomware attack. Not the case…read on.

While it is widely believed that the breach of M&S was the work of well-known hackers, often referred to as ‘Scattered Spider’, some level of internal assistance cannot be ruled out. In fact, there is speculation that a contracted supplier may have provided access to M&S systems. Over the past five years the number of employees in large corporates offering their ‘insider’ services on the Dark Web has been steadily rising. They are likely to be IT-related staff with levels of privileged access that see their way to offering hackers an easier ride in return for a slice of any payout. So, understanding what your employees are doing and why is as important as what goes on at the edge. In many ways, combatting the Insider Threat is the most challenging. It is influenced by human behaviour, and as we know human behaviour is highly unpredictable, making it difficult to anticipate and defend.

There are three main categories of Insider: those who act carelessly and unintentionally through lack of application or training, disgruntled employees who act maliciously to damage a company’s reputation, and those who are long-term ‘sleepers’ intent on acquiring IP or company know-how to sell on to individuals or rogue states. Now, with a black market for insider services, there is a fourth category: those who support an orchestrated external team intent on extortion, with an eye on sharing the spoils of any ransom.

So yes, had we been deployed by M&S as a ubiquitous ITMAS (Insider Threat Monitoring and Audit Solution) as part of their overall IT security strategy, we would have seen early changes in ‘state’ and behaviour that would identify or rule out Insider collusion. M&S could also insist that any of their contracted services, including the likes of call centres, were monitored in the same way.

I have said before that the ability to proportionately monitor the workforce, compatible with GDPR, is as important as the likes of antivirus on the endpoint. A lightweight agent like Vigilant’s VigilancePro, reporting in real time, is as much about protecting all staff from making unintentional mistakes as it is about pinpointing internal malicious actors. Its ability to automatically increase levels of surveillance proportionate to unfolding out-of-policy behaviour sets it apart from the rest. As does the ability to monitor and disable those who have the ultimate privileged access: the administrators. Admin rights sit with the most trusted individuals, but they are also the target for Dark Web recruiters. Withdrawing admin rights in real time based on behaviour is not easy, but we see it as an essential part of addressing your internal risk.

Finally, the uptake of all things AI has provided Insiders with new, powerful tools to access, manipulate and extract data, with the ability to seemingly cover their tracks. With increasing levels of internal AI decision-making now prevalent in almost every corporate, the Insider Threat is likely to become one of the most challenging risks for any business over the next decade.

My advice is to embrace the proportionate monitoring approach now with boilerplate baseline policies, and look to identify and understand internal AI decision-making to protect your staff and be ready to STOP that malicious individual from bringing your company to its knees.

We provide comprehensive ITMAS for Britain’s biggest police forces. What we do for them is available for you….and that includes M&S!