Breaches Leave Retailers Reeling

Natasha Free -

April 2025 was not a month UK retail will want to repeat, but certainly it provided valuable lessons for us all, particularly around identity management.

Marks and Spencer, Co-op, and Harrods all had to restrict IT services in some way and both M&S and Co-op have suffered customer data exfiltration.

Not only that, but Marks and Spencer's online ordering is still paused six weeks after they first reported the breach on 22nd April 2025. Online ordering accounts for 33% of their UK Clothing and Home sales, worth approximately £3.8m a day. (The Guardian 18th May 2025).

Three weeks after their breach, my local Co-op still had half empty shelves due to the disruptive impact of the breach on their supply chains.


Root Cause

Whilst the full details are still unknown, “real” identity seems to have been at the fore of the attacks - both the Co-op and M&S breaches involving some kind of social engineering (the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes). In the case of M&S, impersonating IT help desk personnel.

People pretending to be someone they are not isn’t unusual, but this is generally unexpected in a professional environment, and it can be difficult (particularly in less direct cultures like the UK) to challenge others. (A colleague once had a very trying encounter with a senior executive at a well-known UK financial institution who demanded, face-to-face, that my colleague circumvent access restrictions and show him protected data).

We need to develop cultures where it’s OK to challenge, and you expect to be challenged. We’ve all been taught to be suspicious of any unexpected call concerning financial information. We call them back on the “official” number, so why can’t we do this for the help desk?

Proper Identity Verification  is clearly essential, particularly for ‘break glass’ scenarios, and robust protocols are needed between organisations so that bad actors cannot take advantage of emergency situations. In addition, it seems possible that the attackers in these examples exploited SIM swapping, suggesting that mobile network operators must move identity verification protocols away from information about the target that can be easily gathered such as name, address, or mobile number.

The use of remote access tools must also be treated with the utmost caution. Use should be carefully managed, and policy strengthened to include supervisor approvals where appropriate.

Continuous training is vital and, as a fan of practice above theory, I like to include some real-world examples and role-play/tabletop exercises to really drive home the experience and give team members practice in confidently responding to potential challenges.

Teams should also be briefed in what to look out for: unusual activity, phishing emails, new accounts being created, more or unusual requests for elevated privileges, etc.

The UK's National Cyber Security Centre has published some recommendations following these breaches that sit alongside their guidance on mitigating malware and ransomware attacks.

Digital Identity

It has been reported, although not yet confirmed, that there may be a third-party supplier that was the unwitting conduit for the breaches. Regardless of whether this is true in this instance, it does shine a spotlight on external or partner identities and how these are managed within an organisation. Time and time again, these have been shown to be “the weakest link” and yet the industry applies all of its focus to workforce and consumer identities. When the focus is  predominantly on those identities covered by the regular HR/sales validation process, how are these “other” identities being managed?

Surprisingly often we find that the answer is somewhere close to “haphazardly”. External or non-human identities are often difficult to manage in most IAM tools, and the use cases have to be shoehorned into the tool. The process often involves a lot of manual intervention which increases the risk of human error (or human forgetfulness) and opens these identities to potential abuse from bad actors.

Accountability is all too often unclear and, in the worst cases, non-existent. HR teams will not take responsibility for non-HR user identities and these identities therefore do not have owners or managers assigned.

What needs to be done?

  • Know what you have and where it is - usually the answer to this one is lots of spreadsheets. Are you suffering from administrative burden and unnecessary duplication of effort because there is no centralised process for managing external identities?
  • Who owns the data? Who should own the data and be responsible for usage and approvals? Run a recertification campaign if you can. Are there any accounts no longer in use?
  • Can you do some business analysis and align all your external identity types to agreed, defined business roles? For example, the external user identities could be suppliers, tenants, business partners, contractors, seasonal workers, auditors, interns, robots, or anything requiring access to your network.
  • What process should be followed in the management of these identities? The full user lifecycle needs to be accounted for. In particular the leaver process - how soon are you disabling users once access is no longer required? What happens if this termination is at short notice? Identity management should be subject to periodic reviews and recertification campaigns.
  • How should users be created and suspended? However this is achieved, it must be time-bound and preferably automated.
  • What access should your user types have? This should be defined in alignment with roles and business case. Absolutely refrain from creating users "like Mike”, i.e. duplicates of existing named user identities. All access should work according to the principle of least privilege and be immediately suspended when no longer required and subject to periodic reviews.

Madigan’s UMT (User Management Tool) can help with all of these use cases. It is flexible enough to address even the most complex business use case.

If you are still in doubt about the impacts, according to The Guardian (18th May 2025), the Marks and Spencer cyber-attack has wiped more than £1.1bn off their market value. They also reported on 21st May 2025 that:

💡
Marks and Spencer has said it will take an estimated £300m hit to profits this year. Analysts said they expected to cut profit forecasts for this year by at least 10%.