Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware Breach. Show all posts
Ransomware Breach
Critical Systems Security Cybersecurity Threats Dark Web Claims Data Breach Digital Risk Management Gaming Infrastructure IGT Cyberattack Lottery Technology Ransomware Breach

IGT Responds to Reports of Significant Ransomware Intrusion

 


An investigation by the Russian-linked ransomware group Qilin has raised fresh concerns within the global gaming and gambling industry after they claimed responsibility for the cyber intrusion that targeted global gambling giant IGT in recent weeks. 

A dark-web leak site that listed the company on Wednesday stated that it had exfiltrated ten gigabytes of data, or more than two thousand files, which is an amount that would equal around ten gigabytes of internal data. The posting itself didn’t provide many details about this. 

As can be seen by the entry stamped in bright green with the word “Publicated”, IGT does not appear to have communicated with Qilin or they refuse to accept ransom demands from him. IGT offers a complete suite of products and services to casinos, retailers, and online operators worldwide that range from gaming machines to lottery technology to PlaySports betting platforms to iGaming systems. 

Through its suite of products, IGT supports millions of players every day. This recent breach has prompted increased scrutiny of a leading technology provider’s security posture, and raised questions about the potential impact on operations and the broader gaming infrastructure of this company. According to a recent filing submitted to the Securities and Exchange Commission, International Game Technology (IGT) has acknowledge that it is in the middle of managing a major cyber incident. 

In the filing, IGT confirmed an unauthorized attempt to access portions of its internal IT system on November 17 was detected. There is a note in the disclosure that indicates that the company's incident response procedures were immediately activated after the intrusion. 

These procedures included a number of steps commonly associated with attempts to contain suspected ransomware activities, including taking certain systems offline and engaging external forensic specialists to assist in the investigation. 

In the midst of it assessing the extent of the disruption, the notorious ransomware group Qilin also has mentioned IGT, claiming that around 10GB of data, or over 21,000 files, has been stolen from its dark-web leak portal. Despite the fact that Qilin has not yet provided proof of compromise samples, the group has labeled the archive as published, a term criminals frequently use to indicate that exfiltrated data is now circulating beyond the victim's control. This adds further urgency to IGT's efforts to contain and remediate the data in question.

A report from Cybernews claims that Qilin's leak page also offers a link to an FTP file believed to contain a complete cache of allegedly stolen information, but no verification has been made and the amount of information available is limited at this point. To date, IGT has not either confirmed or denied the gang's assertions and has not responded to media inquiries seeking clarification. 

As one of the world's biggest gaming companies, GTECH offers a range of lottery technology products across more than 100 jurisdictions, including electronic gaming machines, iLottery systems, and sports betting platforms. Its headquarters are in London, with major operations centers in Las Vegas, Rome, and Providence. IGT is the primary technology partner for 26 U.S. lotteries and casinos, serving dozens of lottery operators and casino operators across the country. 

The entire lottery industry has been facing increasing cyber threats; earlier this year, the Ohio Lottery suffered a ransomware attack that disrupted jackpot information, delayed prize claim processing, and exposed sensitive consumer and retailer information. 

With such a backdrop in mind, IGT’s statement to the SEC underscored the company’s commitment to minimizing operational disruptions while restoring systems and maintaining transparency with its customers. In order to ensure service stability while forensic specialists continue their assessment, the company has deployed contingency solutions under its business continuity framework. 

It is vital that IGT maintains trust among lottery operators, casino customers and millions of daily users as it navigates the aftermath of the breach. IGT continues to work to secure that trust as the recovery proceeds. In light of the ongoing investigation, this incident underscores the widening threat landscape that operators of high-value digital games and lotteries face.

In order to achieve the best results for IGT, it is imperative that they reinforce cyber-resilience, accelerate security modernization, and strengthen partnerships with regulators and industry partners. It is widely believed that maintaining transparency, rapid threat intelligence sharing, and investing in robust incident response capabilities will be crucial not only for restoring confidence, but also for safeguarding interconnected gaming ecosystems from increasingly sophisticated ransomware actors who are eager to exploit any vulnerabilities that may arise.
Read more »
Vulnerabilities
Cyber CyberCrime Cybersecurity CyberThreat Data Breach Digital Transformation Mark&Spencer Ransomware Breach Social Engineering Vulnerabilities

Social Engineering Identified as Catalyst for M&S Ransomware Breach

 


Marks & Spencer (M&S), one of the largest and most established retailers in the United Kingdom, has confirmed that a highly targeted social engineering operation triggered the ransomware attack in April 2025. This breach, which is associated with DragonForce ransomware, points to a disturbing trend in the cybersecurity landscape, namely that human manipulations are increasingly becoming a way to access large-scale digital networks.

Several preliminary findings suggest that the attackers deceived individuals within or connected to the organisation, possibly by posing as trusted employees or partners, to gain unauthorised access to M&S's internal systems. Once they gained access, the attackers deployed ransomware that crippled the organisation's operations and led to the theft of approximately 150 GB of sensitive information.

It is important to note that not only did the attack disrupt critical business functions, but it also exposed the weakness in the company's dependence on third-party vendors, whose vulnerabilities may have contributed to the intrusion. While the company is actively regaining control of its infrastructure as a result of the breach, the incident is a clear warning to organisations across many sectors about the growing threat of social engineering as well as the urgent need for more robust human-centred cybersecurity defences to protect against it.

A public hearing was held on July 8, held at Parliament, in which Archie Norman, Chairman of Marks & Spencer (M&S), gave further insight into the cyberattack in April 2025 that disrupted the retailer's operations. Norman acknowledged that the incident was indeed a ransomware attack, but he declined to divulge whether the company had negotiated anything with the threat actors involved or negotiated a financial settlement. 

According to Norman, who addressed the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls at the UK Parliament, the experience was one of the most disruptive and complex crises he had experienced in his considerable career in business and retail before this one.

As part of the presentation, he stressed the severity and unprecedented nature of the attack that, as it has been discovered, was carried out by the Scattered Spider cyber criminal collective, which is well known for attacking major corporations using DragonForce ransomware infrastructure as a means of extortion and ransom.

It is clear from Norman's testimony that cybercriminal groups have become more bold and technically sophisticated over the last few years, particularly those that employ social engineering as a way to circumvent protocols of conventional security and bypass them.

Aside from acknowledging the considerable operational challenges the company faced in responding to the incident, the chairman pointed out that businesses must strengthen their digital resilience and make themselves more resilient in a rapidly evolving threat landscape, which is difficult to predict. Even though Archie Norman did not disclose specific details about the operation, he did reveal that initially, the attackers were successful in gaining access by exploiting the impersonation scheme devised by an expert security expert.

According to him, the threat actors posed as some of the approximately 50,000 Marks & Spencer employees and successfully deceived a third-party service provider into resetting a legitimate employee's password after posing as one of these employees. As a result of the attackers' seemingly simple deception, they were able to bypass identity verification protocols and gain unauthorised access to the retailer's internal systems, resulting in the attackers gaining access to the retailer's internal network.

In addition, the tactic represents a growing trend in cybercrime in which attackers exploit the trust that large, distributed organisations place in their internal and external vendors to gain access to their networks. The perpetrators were able to manipulate routine IT processes, such as password resets, and then move laterally within the network, setting the stage for a wider deployment of ransomware.

There is an important lesson to be learned from the incident regarding the importance of stringent verification procedures when working with external partners who can become weak links in your security chain, particularly when engaging with external partners. As reported in the Financial Times in May, Tata Consultancy Services (TCS) allegedly initiated an internal investigation to determine whether the company unknowingly played a role in the cyberattack on Marks & Spencer by facilitating the cyberattack.

In the case of TCS, which provides M&S's help desk support, it has been suspected that the threat actors have manipulated the company into resetting the password of an employee, enabling the attackers to gain access to the retailer's internal network. The threat actors are alleged to have done this through the manipulation of TCS. This potential compromise highlights the broader risks associated with outsourcing IT operations and the increasing reliance on third parties to handle critical business functions, as well. 

As a first step towards the resolution of the breach, M&S has publicly identified the DragonForce ransomware infrastructure as how the attack was carried out, revealing that the perpetrators are suspected of operating from Asia. The acknowledgement comes as the company continues to recover, witha phased return to its online retail services being phased in.

 With the introduction of limited home delivery options on June 10, M&S has made it possible for select fashion products to be delivered to customers across England, Wales, and Scotland. Currently, the service is only available to customers in England, Wales, and Scotland. As part of its commitment to managing operational strain and ensuring service reliability, M&S has temporarily extended its standard delivery window to 10 days to ensure service reliability.

 In terms of customer impact, M&S confirmed that certain personal data was compromised during the breach, but that click-and-collect services, which are still suspended as part of the recovery process following the attack, will also be reinstated shortly. As a matter of fact, M&S confirmed that certain personal data had been compromised. Among the information exposed are names, home addresses, phone numbers, email addresses, dates of birth, and information about online orders, which is often exposed.

Despite this, the company has assured the public that no usable information, such as payment information, credit card numbers, or passwords, has been compromised. As a precautionary measure, M&S will ask customers to reset their passwords to ensure that their personal information remains safe. Customers are advised to remain vigilant to be aware of possible phishing attempts or fraudulent activity involving their personal information.

While speculation continues to abound on the possible financial resolution of the ransomware attack, Marks & Spencer has chosen not to disclose whether they have made a ransom payment in the first place. Chairman Archie Norman's testimony made reference to professional ransomware negotiation firms in his testimony. These firms, which are usually specialised intermediaries that assist victim organisations to engage threat actors and facilitate cryptocurrency payments, typically using Bitcoin, are often used by these firms to help victims resolve these threats.

In response to a direct question regarding whether M&S had met the ransom demand, Norman declined to provide a definitive answer. He stated that the company had "not discussed those details publicly" as they believed it was not in the public interest to do so. However, he emphasised that the National Crime Agency (NCA) and other law enforcement authorities had been notified of the full extent of the investigation.

Many experts on the subject of cybersecurity warn that ransomware groups rarely cease extortion efforts without compensation. Because the stolen data has not yet been disclosed publicly, experts believe a ransom might have been paid quietly or negotiations may still be ongoing with the attackers.

Regardless of the outcome of the M&S breach, it serves as a sobering reminder that cybersecurity failures have evolved beyond technical vulnerabilities and are now a result of failures across people, processes, and technological safeguards as well. Despite the rapid evolution of the threat environment in today's world, traditional security tools such as antivirus software are no longer sufficient to deal with the growing number of malware groups that are becoming increasingly agile.

It is imperative that businesses adopt adaptive security architectures that are policy-driven and capable of detecting and neutralising threats before they escalate. In light of the M&S incident, there is an urgent need to develop an approach to cyber resilience that anticipates human error, strengthens digital ecosystems, and minimises the operational and reputational costs associated with an attack.

 In this era of cyber-threats, an incident such as Marks & Spencer's ransomware is often referred to as a case study since it exemplifies how human nature has become as vital as technological defences in combating cyber-attacks.

In an era where organisations are accelerating their digital transformation and increasingly relying on distributed teams, cloud infrastructure, and third-party vendors, this attack reinforces the importance of implementing an integrated cybersecurity strategy that focuses on more than just system hardening; it also emphasises employee awareness, vendor accountability, and continuous risk management.

The most effective way for a company to protect itself is to adopt a proactive, intelligence-driven security posture rather than a reactive, reactive approach; to embed cybersecurity into every aspect of the business, governance, and culture. The deployment of behavioural analytics, third-party audits of identities, and enhancement of identity verifications are no longer optional components of modern cybersecurity frameworks, but rather essential components.

 In the face of increasing threats that are both swift and complex, resilience is not only a one-time fix but a continuous discipline that must be engineered. The M&S breach is more than just a cautionary tale. It is a call to action for enterprises to redesign their security strategies so that they can remain competitive, agile, and forward-thinking.

Read more »
Subscribe to: Comments (Atom)