The past few months have seen retailer after retailer fall foul of the epidemic of attacks currently tearing through the industry. From the M&S and Co-Op breaches in April to the attacks on Cartier and North Face this month, it is clear that no one is off limits. In the wake of this, we have spoken with three technology experts to gain their insights on why these attacks are happening now, what makes them so effective and how they can be avoided.
Retail in the crosshairs
So why is retail under the spotlight at the moment? For Shobhit Gautam, Staff Solutions Architect, EMEA at HackerOne, “the surge in attacks can be attributed to the growing dependence on digital systems, combined with the comparatively lower commitment to security measures and tools. Digital extortion has emerged as the prevailing ransomware attack model. This approach begins like a standard ransomware attack, with the victim pressured to pay up to regain access to encrypted files. Unknown to the victim, the attackers have already absconded with a substantial amount of data. Failure to meet their demands results either in threats to publicise the attack or peddle the stolen data.”
For Darren Thomson, Field CTO EMEAI at Commvault, “the news of more retailers being hit by cyberattacks – this time North Face and Cartier – is further evidence of cybercriminals’ strategy to achieve both notoriety and financial gain. Data holds incredible value, and cybercriminals will stop at nothing to obtain it, no matter the disastrous consequences for an organisation or its customers.”
As security breaches continue to hit some of the biggest names in UK retail, Glenn Akester, Technology Director for Cyber Security & Networks at Node4, explains how “these attacks have already caused significant damage to industry giants like M&S, Co-op and North Face, and, although Node4’s recent research found that the majority (92%) of mid-market organisations are confident when it comes to preventing and responding to attacks, these latest hits suggest that many retailers still lack the resilient cybersecurity foundations and operational readiness needed to withstand this new breed of threat.”
The rise of low-effort attacks
As retail continues to be under fire, it is vital for businesses to ensure their security strategies are up to scratch. However, when it comes to these crucial defences, the picture is a worrying one, according to Node4’s Akester, as “many organisations still operate on the outdated assumption that anything inside their network is safe, and only the perimeter needs defending. However, this model falls apart the moment an attacker gets hold of legitimate credentials.”
“These latest cyberattacks also highlight the importance of basic cyber hygiene,” agrees Commvault’s Thomson, “as hackers accessed North Face systems via credential stuffing, where usernames and passwords stolen from another data breach are used. By never reusing passwords and using secure password managers, these attacks can be avoided. From an organisational perspective, anomaly detection and early warning systems are essential. Knowing as soon as something out of the ordinary is happening within your systems enables security teams to isolate the environment and stop bad actors in their tracks before they have the opportunity to encrypt, steal, or remove access to critical datasets and systems.”
Because this is what’s ultimately enabling these devastating attacks to occur. HackerOne’s Gautam observes how “attackers are growing more organised and opportunistic. The group linked to the M&S breach, Scattered Spider, is known for using advanced social engineering tactics to infiltrate networks from the inside. This adds a new layer of complexity for defenders. It’s no longer just about building higher walls, but about anticipating how and where adversaries might slip through the cracks.”
The threat of social engineering attacks cannot be underplayed, with Glenn Akester cautioning, “today’s attacks aren’t elite, technical hacks. They’re fast, persuasive and often alarmingly simple. Attackers are utilising a number of low effort techniques, such as social engineering attacks that convince employees to provide login details or approve MFA requests, hijacking valid login sessions or using leaked details obtained through past data breaches. None of these require ‘hacking skills’ in the traditional sense. They’re about slipping through the cracks – or tailgating through the front door someone else has opened.”
The future of cyber resilience
These recent attacks have highlighted the critical need for organisations – and retailers in particular – to bolster their cyber defences. When doing so, Node4’s Akester is keen to emphasise that “it’s time to stop thinking about cybersecurity as a checklist of tools and start thinking about it as a resilience strategy. Building resilience means assuming that something will get through eventually, and making sure your business can detect it, contain it, and recover quickly. This starts with understanding your risk surface, continuously monitoring for threats, testing and simulating attacks, and finally, having a clear and effective response plan.”
For Gautam, it is key to ensure that newer technologies, such as AI, are tested and secured before it is implemented into a business. He highlights the risk of implementing this technology too quickly, warning how “We’ve already seen a few retailers suffer reputationally from AI chatbots going awry. One way of minimising the potential of harmful inputs from chatbots is through community-led AI red teaming, which tests AI systems for harmful outputs before bad actors can take advantage of systems.”
Thomson concludes, “achieving enterprise-grade cyber resilience is more than building taller walls or deeper moats. It requires a new approach that looks holistically across the entire landscape, from best-in-class data protection and security to AI-powered data intelligence and knowing your Minimum Viable Company to allow lightning-fast recovery.”
