Help
Online Help
20 May 2025 | 3:39 pm
Hack Warning

Cyber Security

M&S Cyber-Attack: What Happened and What We Can Learn

In April 2025, hackers gained unauthorised access to M&S’s systems, compromising customer data and disrupting various operations. The attack forced the company to suspend online orders and disrupted the process chain across the business.

What happened?

The full extent of the breach is still being investigated, but initial reports are that DragonForce have claimed responsibility.

The initial breach has reported to have been via the IT helpdesk, the hackers impersonated employees and convinced the IT helpdesk to reset the passwords/MFA in order to gain access to the network.

Once the hackers has access, they planted the malware into the systems. The malware copied off data onto the hackers systems, and encrypted the ‘live’ data left on M&S systems.

 

Lessons to learn.

Have a process in place with your IT helpdesk to verify any sensitive requests, such as resetting passwords, MFA or elevating access. At Lost in I.T, our clients know that we have a very strict process in place before we are able to reset any sensitive details. I won’t share them here (for obvious reasons) but have you tested your IT helpdesk recently to see if they will simply reset and provide your new details without fully vetting first?

Put some budget aside for security systems. M&S and Co-op are big household names, this is why they made headline news. There are a number of businesses and schools each week that get breached, whom never make the news. Having a comprehensive security suite will help make things difficult for hackers and raise the alarm early. With so many cyber security products, acronyms and naming conventions, from thousands of different brands, it can be a little daunting.

Whilst not all business have big budgets to implement everything on offer, we would recommend the two below to include in your budgets as a minimum.

1: Endpoint Detection and Response (EDR) – A good EDR is essentially the evolution of traditional Anti-Virus software. EDR will look for suspicious/unusual behaviour and close down potential threats. A good EDR will also have a roll-back function, so if your system starts to become infected, it can go back in time, to when the system was clean, reducing any downtime.

Anti-virus tends to work from a database of known threats, so if a threat is not yet known, it could go undetected.

2: Security Information and Event Management (SIEM) system – SIEM is like the all-seeing-eye. It collects all the logs from as many devices in the business as can be setup (firewall, 365, laptops, servers, Wi-Fi-points, etc) analyses them in near real-time and throws alerts for any unusual behaviour. Examples of this, if a colleague travels to Spain on holiday, and their phone picks up emails when they land, it will flag that as unusual behaviour as that colleague has never logged in from Spain before, or if somebody in the sales team downloads/accesses all the files from a SharePoint site, again it will flag as unusual.

Worth noting that SIEM will not stop the behaviour, it will simply raise the alarm. Depending on the size of the business, will depend on the time it take to on-board SIEM so it gets to know and learn what is normal vs suspicious.

Both EDR and SIEM have ‘managed’ options, this means that there are teams of people in a Security Ops Centre, analysing the logs and alerts, which reduces the overhead of having an internal team having to sieve through them.

 

  1. Check your backups are protected. Hackers are smart, simply having a backup is not enough, because they can (and will) delete or encrypt them. Having backups stored in an immutable store, offline from your main networks, is also highly recommended. It’s not as difficult (or as expensive) as you may think.

There are also a lot of security features that come already built-in to mode devices, like firewalls for example, which cost nothing to turn on (not just on your internet connection, but on your computers, too.

 

To summarise:

Have a process in place with your IT helpdesk for verifying people are who they say they are, and vice-versa, how people in your business can verify it’s the IT helpdesk calling them.

Businesses are being breached every day, we only hear about the household names we can relate to, never think you won’t be targeted, a lot of the time it’s not even a human carrying out the initial breach, it’s usually a bot designed to hit anyone and everyone.

Budget for security products, as an MSP we often get accused of upselling unnecessary products, and yes I dare say there are MSP out there who do this (we are definitely not one), but as a minimum aim to budget for a Managed EDR and SIEM solution, nothing is ever 100% but it’s like having an alarm and immobiliser on your car, they are the standard in the modern world.

Review your backups. We always ensure our client backups are protected as much as possible, having a backup is not enough, it needs to be offline and have a level of protection so it can’t be deleted or encrypted.

As always please feel free to email me if you have any questions or concerns get in touch.

Return to post page