Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Digital Transformation. Show all posts
Vulnerabilities
Cyber CyberCrime Cybersecurity CyberThreat Data Breach Digital Transformation Mark&Spencer Ransomware Breach Social Engineering Vulnerabilities

Social Engineering Identified as Catalyst for M&S Ransomware Breach

 


Marks & Spencer (M&S), one of the largest and most established retailers in the United Kingdom, has confirmed that a highly targeted social engineering operation triggered the ransomware attack in April 2025. This breach, which is associated with DragonForce ransomware, points to a disturbing trend in the cybersecurity landscape, namely that human manipulations are increasingly becoming a way to access large-scale digital networks.

Several preliminary findings suggest that the attackers deceived individuals within or connected to the organisation, possibly by posing as trusted employees or partners, to gain unauthorised access to M&S's internal systems. Once they gained access, the attackers deployed ransomware that crippled the organisation's operations and led to the theft of approximately 150 GB of sensitive information.

It is important to note that not only did the attack disrupt critical business functions, but it also exposed the weakness in the company's dependence on third-party vendors, whose vulnerabilities may have contributed to the intrusion. While the company is actively regaining control of its infrastructure as a result of the breach, the incident is a clear warning to organisations across many sectors about the growing threat of social engineering as well as the urgent need for more robust human-centred cybersecurity defences to protect against it.

A public hearing was held on July 8, held at Parliament, in which Archie Norman, Chairman of Marks & Spencer (M&S), gave further insight into the cyberattack in April 2025 that disrupted the retailer's operations. Norman acknowledged that the incident was indeed a ransomware attack, but he declined to divulge whether the company had negotiated anything with the threat actors involved or negotiated a financial settlement. 

According to Norman, who addressed the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls at the UK Parliament, the experience was one of the most disruptive and complex crises he had experienced in his considerable career in business and retail before this one.

As part of the presentation, he stressed the severity and unprecedented nature of the attack that, as it has been discovered, was carried out by the Scattered Spider cyber criminal collective, which is well known for attacking major corporations using DragonForce ransomware infrastructure as a means of extortion and ransom.

It is clear from Norman's testimony that cybercriminal groups have become more bold and technically sophisticated over the last few years, particularly those that employ social engineering as a way to circumvent protocols of conventional security and bypass them.

Aside from acknowledging the considerable operational challenges the company faced in responding to the incident, the chairman pointed out that businesses must strengthen their digital resilience and make themselves more resilient in a rapidly evolving threat landscape, which is difficult to predict. Even though Archie Norman did not disclose specific details about the operation, he did reveal that initially, the attackers were successful in gaining access by exploiting the impersonation scheme devised by an expert security expert.

According to him, the threat actors posed as some of the approximately 50,000 Marks & Spencer employees and successfully deceived a third-party service provider into resetting a legitimate employee's password after posing as one of these employees. As a result of the attackers' seemingly simple deception, they were able to bypass identity verification protocols and gain unauthorised access to the retailer's internal systems, resulting in the attackers gaining access to the retailer's internal network.

In addition, the tactic represents a growing trend in cybercrime in which attackers exploit the trust that large, distributed organisations place in their internal and external vendors to gain access to their networks. The perpetrators were able to manipulate routine IT processes, such as password resets, and then move laterally within the network, setting the stage for a wider deployment of ransomware.

There is an important lesson to be learned from the incident regarding the importance of stringent verification procedures when working with external partners who can become weak links in your security chain, particularly when engaging with external partners. As reported in the Financial Times in May, Tata Consultancy Services (TCS) allegedly initiated an internal investigation to determine whether the company unknowingly played a role in the cyberattack on Marks & Spencer by facilitating the cyberattack.

In the case of TCS, which provides M&S's help desk support, it has been suspected that the threat actors have manipulated the company into resetting the password of an employee, enabling the attackers to gain access to the retailer's internal network. The threat actors are alleged to have done this through the manipulation of TCS. This potential compromise highlights the broader risks associated with outsourcing IT operations and the increasing reliance on third parties to handle critical business functions, as well. 

As a first step towards the resolution of the breach, M&S has publicly identified the DragonForce ransomware infrastructure as how the attack was carried out, revealing that the perpetrators are suspected of operating from Asia. The acknowledgement comes as the company continues to recover, witha phased return to its online retail services being phased in.

 With the introduction of limited home delivery options on June 10, M&S has made it possible for select fashion products to be delivered to customers across England, Wales, and Scotland. Currently, the service is only available to customers in England, Wales, and Scotland. As part of its commitment to managing operational strain and ensuring service reliability, M&S has temporarily extended its standard delivery window to 10 days to ensure service reliability.

 In terms of customer impact, M&S confirmed that certain personal data was compromised during the breach, but that click-and-collect services, which are still suspended as part of the recovery process following the attack, will also be reinstated shortly. As a matter of fact, M&S confirmed that certain personal data had been compromised. Among the information exposed are names, home addresses, phone numbers, email addresses, dates of birth, and information about online orders, which is often exposed.

Despite this, the company has assured the public that no usable information, such as payment information, credit card numbers, or passwords, has been compromised. As a precautionary measure, M&S will ask customers to reset their passwords to ensure that their personal information remains safe. Customers are advised to remain vigilant to be aware of possible phishing attempts or fraudulent activity involving their personal information.

While speculation continues to abound on the possible financial resolution of the ransomware attack, Marks & Spencer has chosen not to disclose whether they have made a ransom payment in the first place. Chairman Archie Norman's testimony made reference to professional ransomware negotiation firms in his testimony. These firms, which are usually specialised intermediaries that assist victim organisations to engage threat actors and facilitate cryptocurrency payments, typically using Bitcoin, are often used by these firms to help victims resolve these threats.

In response to a direct question regarding whether M&S had met the ransom demand, Norman declined to provide a definitive answer. He stated that the company had "not discussed those details publicly" as they believed it was not in the public interest to do so. However, he emphasised that the National Crime Agency (NCA) and other law enforcement authorities had been notified of the full extent of the investigation.

Many experts on the subject of cybersecurity warn that ransomware groups rarely cease extortion efforts without compensation. Because the stolen data has not yet been disclosed publicly, experts believe a ransom might have been paid quietly or negotiations may still be ongoing with the attackers.

Regardless of the outcome of the M&S breach, it serves as a sobering reminder that cybersecurity failures have evolved beyond technical vulnerabilities and are now a result of failures across people, processes, and technological safeguards as well. Despite the rapid evolution of the threat environment in today's world, traditional security tools such as antivirus software are no longer sufficient to deal with the growing number of malware groups that are becoming increasingly agile.

It is imperative that businesses adopt adaptive security architectures that are policy-driven and capable of detecting and neutralising threats before they escalate. In light of the M&S incident, there is an urgent need to develop an approach to cyber resilience that anticipates human error, strengthens digital ecosystems, and minimises the operational and reputational costs associated with an attack.

 In this era of cyber-threats, an incident such as Marks & Spencer's ransomware is often referred to as a case study since it exemplifies how human nature has become as vital as technological defences in combating cyber-attacks.

In an era where organisations are accelerating their digital transformation and increasingly relying on distributed teams, cloud infrastructure, and third-party vendors, this attack reinforces the importance of implementing an integrated cybersecurity strategy that focuses on more than just system hardening; it also emphasises employee awareness, vendor accountability, and continuous risk management.

The most effective way for a company to protect itself is to adopt a proactive, intelligence-driven security posture rather than a reactive, reactive approach; to embed cybersecurity into every aspect of the business, governance, and culture. The deployment of behavioural analytics, third-party audits of identities, and enhancement of identity verifications are no longer optional components of modern cybersecurity frameworks, but rather essential components.

 In the face of increasing threats that are both swift and complex, resilience is not only a one-time fix but a continuous discipline that must be engineered. The M&S breach is more than just a cautionary tale. It is a call to action for enterprises to redesign their security strategies so that they can remain competitive, agile, and forward-thinking.

Read more »
Operational Technology
Canada oil and gas sector Canadian Centre for Cyber Security Cyber Attacks Cybersecurity Threats Digital Transformation Operational Technology

Canada’s Oil and Gas Sector Faces Rising Cybersecurity Threats Amid Digital Transformation

 

Canada’s oil and gas sector, a vital part of its economy, contributes approximately $120 billion, or about 5% of the country’s Gross Domestic Product (GDP). This industry not only drives economic growth but also supports essential services such as heating, transportation, and electricity generation, playing a crucial role in national security. However, the increasing digital transformation of Operational Technology (OT) within this sector has made it more vulnerable to cyber threats, according to a report by the Canadian Centre for Cyber Security.

A survey conducted by Statistics Canada revealed that around 25% of all Canadian oil and gas organizations reported experiencing a cyber incident in 2019. This is the highest rate of reported incidents among all critical infrastructure sectors, highlighting the urgent need for improved cybersecurity measures in Canada. While the digital transformation of OT systems enhances management and productivity, it also expands the attack surface for cyber actors, exposing these systems to various cyber threats.

The Canadian Centre for Cyber Security's report indicates that medium- to high-sophistication cyber threat actors are increasingly targeting organizations indirectly through their supply chains. This tactic enables attackers to gain valuable intellectual property and information about the target organization’s networks and OT systems. The reliance of large industrial asset operators on a diverse supply chain—including laboratories, manufacturers, vendors, and service providers—creates critical vulnerabilities that cyber actors can exploit to access otherwise protected IT and OT systems.

The report emphasizes that cybercriminals driven by financial gain pose the most significant threat to the oil and gas sector. Business Email Compromise (BEC) schemes and ransomware attacks are particularly prevalent. Although BEC is more common and costly, ransomware remains a primary concern due to its potential to disrupt the supply of oil and gas to customers.

The evolving cybercriminal ecosystem, including ransomware-as-a-service (RaaS) models, allows even less skilled attackers to launch sophisticated attacks, resulting in an increase in successful incidents targeting the sector. The report cites the Colonial Pipeline ransomware attack in May 2021 as a stark example of the potential consequences of such cyber incidents. This attack forced the shutdown of a major fuel pipeline in the U.S., leading to significant disruptions, panic buying, and price spikes. Similar incidents could occur in Canada, jeopardizing the supply of essential products and services.

Financial Implications of Data Breaches

The report also highlights the financial implications of cyber threats. The cost of a data breach can vary significantly, with estimates suggesting it can reach millions of dollars depending on the organization's size and nature. The potential for disruption or sabotage of OT systems poses a costly threat to owner-operators of large OT assets, impacting national security, public safety, and the economy.

The Canadian Centre for Cyber Security notes that the oil and gas sector attracts considerable attention from financially motivated cyber threat actors due to the high value of its assets. Cybercriminals target not only operational systems but also valuable intellectual property, business plans, and client information. Protecting these assets is crucial, as the disruption of operations could have far-reaching consequences.

In light of these threats, the report urges organizations within the oil and gas sector to prioritize cybersecurity investments and adopt a proactive approach to risk management. Continuous training and awareness programs for employees are essential to mitigate risks associated with human error, a significant factor in successful cyber attacks.

The Canadian Centre for Cyber Security stresses the need for collaboration between public and private sectors to combat cyber threats effectively. By sharing information and best practices, organizations can better prepare for and respond to cyber incidents.

Overall, the findings from the Canadian Centre for Cyber Security highlight the pressing need for enhanced cybersecurity measures within Canada’s oil and gas sector. With cyber threats on the rise, it is imperative for organizations to take proactive steps to safeguard their operations and ensure the resilience of this critical infrastructure. The time to act is now, as the stakes have never been higher in the fight against cybercrime
Read more »
Technology
CFO Dive ChatGPT Cyberattacks Cyberdata Cybersecurity CyberThreat Digital Transformation Shadow IT Technology

Shadow IT Surge Poses Growing Threat to Corporate Data Security

 


It was recently found that 93% of cybersecurity leaders have deployed generative artificial intelligence in their organizations, yet 34% of those implementing the technology have not taken steps to minimize security risks, according to a recent survey conducted by cybersecurity firm Splunk, which was previously reported by CFO Dive. 

In the coming years, digital transformation and cloud migration will become increasingly commonplace in every sector of the economy, raising the amount of data businesses must store, process and manage, as well as the amount of data they must manage. Even though external threats such as hacking, phishing, and ransomware are given a great deal of attention, it is equally critical for companies to manage their data internally to ensure data security is maintained. 

In an organization, shadow data is information that is not approved by the organization or overseen by it. An employee's use of applications, services, or devices that their employer has not approved can be considered a feature (or a bug?) of the modern workplace. Whether it is a cloud storage account, an unofficial collaboration tool, or an unsanctioned SaaS application, shadow data can be generated from a variety of sources. 

In general, shadow data is not accounted for in the security and compliance frameworks of organizations, which leaves a glaring blind spot in data protection strategies, which is why it poses the biggest challenge. A report by Splunk says, “Such thoughtful policies can help minimize data leakage and new vulnerabilities, but they cannot necessarily prevent a complete breach.” However, they can help minimize these risks. 

According to the study by Cyberhaven, AI adoption has been so rapid that knowledge workers are now putting more corporate data into AI tools on a Saturday and Sunday than they were putting into the AI tools during the middle of last year's workweek on average. This could mean that workers are using AI tools early on in the adoption cycle, even before the IT department is formally instructed to purchase them. 

The result would be the so-called 'shadow AI,' or the use of AI tools by employees through their accounts that are not sanctioned by the company, and maybe no one is even aware of it. Using AI in the workplace is gaining traction. The amount of corporate data workers are putting into AI tools has jumped by 485% from March 2023 to March 2024, and the trend is accelerating. There are 23.6% of tech workers in March 2024 who use AI tools for their work (the highest rate of any industry). 

It is estimated that only 4.7% of employees in the financial sector, 2.8% in the pharmaceuticals industry, and 0.6% in manufacturing industries use AI tools. The use of risky "shadow AI" accounts is growing as end users outpace corporate IT. There are 73.8% of ChatGPT users who use the application through non-corporate accounts. 

However, unlike enterprise versions of ChatGPT, the enterprise versions incorporate whatever information you share in public models as well. According to the data, the percentage of non-corporate accounts is even higher for Gemini (94.4%) and Bard (95.9%). AI products from the big three: OpenAI, Google, and Microsoft accounted for 96.0% of AI use at work. Research and development materials created by artificial intelligence-generated tools have been used in potentially risky ways currently. 

In March 2024, 3.4% of the materials were created by artificial intelligence-generated tools, which could potentially create a risk if patented materials were included. As a result, 3.2% of the insertions of source code are being generated by AI outside of traditional coding tools (which are equipped with enterprise-approved copilots for coding), which can potentially place the development of vulnerabilities at risk. 

In terms of graphics and design, 3.0% of the content is generated using AI. The problem here is that AI can be used to produce trademarked material which can pose a problem. IT administrators, security teams, and the protocols that are designed to ensure security are unable to see shadow data due to its invisibility. The fact that shadow data exists outside of the networks and systems that have been approved for data protection means that it can be bypassed easily by any protection measures put in place. 

The risk of a breach or leak when data is left unmonitored increases and does not only complicate compliance with regulations such as GDPR or HIPAA but also makes compliance with data protection laws harder. As such, an organization is not able to effectively manage all of its data assets due to an absence of visibility, resulting in a loss of efficiency and a risk of data redundancy. Shadow data poses various security risks, which include unauthorized access to sensitive data, breaches in data security, and the potential for sensitive information to be exfiltrated. 

Shadow data can be a threat from a compliance standpoint because it only requires a minimal amount of protection from inadequacies in data security. Furthermore, there is an additional risk of data loss when data is stored in unofficial locations, since such personal data may not be backed up or protected against deletion if it is accidentally deleted. The surge in Shadow IT poses significant risks to organizations, with potential repercussions that include financial penalties, reputational damage, and operational disruptions. 

It is crucial to understand the distinctions between Shadow IT and Shadow Data to effectively address these threats. Shadow IT refers to the unauthorized use of tools and technologies within an organization. These tools, often implemented without the knowledge or approval of the IT department, can create substantial security and compliance challenges. Conversely, shadow data pertains to the information assets that these unauthorized tools generate and manage.

This data, regardless of its source or storage location, introduces its own set of risks and requires separate strategies for protection. Addressing Shadow IT necessitates robust control and monitoring mechanisms to manage the use of unauthorized technologies. This involves implementing policies and systems to detect and regulate non-sanctioned IT tools, ensuring that all technological resources align with the organization's security and compliance standards. 

On the other hand, managing shadow data requires a focus on identifying and safeguarding the data itself. This involves comprehensive data governance practices that protect sensitive information, ensuring it is secure, regardless of how it is created or stored. Effective management of shadow data demands a thorough understanding of where this data resides, how it is accessed, and the potential vulnerabilities it may introduce. Recognizing the nuanced differences between Shadow IT and Shadow Data is essential for developing effective governance and security strategies. 

By clearly delineating between the tools and the data they produce, organizations can better tailor their approaches to mitigate the risks associated with each. This distinction allows for more targeted and efficient protection measures, ultimately enhancing the organization's overall security posture and compliance efforts.
Read more »
Subscribe to: Posts (Atom)