How hackers 'tricked' IT department of one of the biggest UK retailers to disable its entire online operations

Last month, a group of cybercriminals brought the online operations of Marks & Spencer to a halt by reportedly exploiting a basic human vulnerability. Posing as legitimate employees, the hackers called up the IT help desks of one of the UK’s largest retailers and convinced its staff to reset passwords for the accounts they had impersonated, a report claims. With those credentials in hand, they infiltrated the company network and disabled its website and app ordering systems. Two weeks after the incident, customers remain unable to place clothing and home orders online, while M&S claims to be working “day and night” to restore services. However, the retailer has not provided a timeline for resuming online orders, noted that some food products remain unavailable, and has yet to disclose the financial impact of the disruption.M&S first encountered disruptions over the Easter weekend, when customers reported issues with Click & Collect and contactless payments. The company confirmed it was dealing with a “cyber incident,” and although these services have since resumed, it paused online orders on its website and apps last week. A week later, there is still no timeline for when online ordering will restart.In-store, some food items remain unavailable as M&S continues to take systems offline to manage the attack. Signs on empty shelves read: “Please bear with us while we fix some technical issues affecting product availability.” Although the retailer had hoped to restore full food availability by the end of the week, it remains unclear whether that target will be met.Additionally, M&S has temporarily removed all job adverts from its website. Visitors now see a message stating: “Sorry you can’t search or apply for roles right now, we’re working hard to be back online as soon as possible.”Cybersecurity experts have warned UK businesses against data breachesAccording to a report by BleepingComputer, Britain’s National Cyber Security Centre has also advised all organisations to audit their help-desk procedures to identify and prevent such incidents.In a joint blog post (seen by Bleeping Computer), Jonathon Ellison and Ollie Whitehouse, national resilience director and chief technology officer at Britain's cyber security centre, respectively, said: “Criminal activity online – including, but not limited to, ransomware and data extortion – is rampant. Attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared.”Investigators have confirmed that it was a ransomware attack. Ransomware is malicious software that infiltrates computer systems, encrypts critical data or files, and demands payment, often under threat of leaking or selling the stolen information.Security experts speaking to the BBC have attributed the breach to a ransomware group known as “DragonForce,” which rents its malware tools to other criminals. This arrangement makes it difficult to identify the exact actors, though many in the cybersecurity community suspect a teen hacker collective called Scattered Spider. Meanwhile, the Metropolitan Police have confirmed they are investigating the incident.