A ransomware attack on Marks & Spencer has led to more than $1 billion being wiped off its stock market value. Bloomberg
A ransomware attack on Marks & Spencer has led to more than $1 billion being wiped off its stock market value. Bloomberg
A ransomware attack on Marks & Spencer has led to more than $1 billion being wiped off its stock market value. Bloomberg
A ransomware attack on Marks & Spencer has led to more than $1 billion being wiped off its stock market value. Bloomberg

Opinion

Comment

M&S's cyber nightmare should strike fear into the heart of every CEO

  • English
  • Arabic
Chris Blackhurst is a former editor of The Independent, based in London

May 07, 2025

Shares in Marks & Spencer continue to slide. Since the UK retailer was subjected to a successful cyber attack last month, more than £750 million ($1 billion) has been wiped off its stock market value.

Slowly, its systems are returning but there are still some gaps on shelves and online orders remain halted. It could take weeks or months to get everything up and running again. Meanwhile, UK brands Co-op and Harrods have also been hit. Others are bracing themselves in the knowledge that these infiltrations tend to come in waves. No matter when this episode is finished, there will be more in the future.

Apart from seeing customers waxing lyrical in the media and on social media about a return to "good old-fashioned shopping", with some even heralding the outbreak as a saviour of beleaguered bricks and mortar stores, it has served to highlight the extraordinary vulnerability of supposedly safe IT. Except it is not of course. Nothing ever is. No security blanket has been invented for anything anywhere that cannot be penetrated somehow.

Usually, however strong the protection, it depends on human beings for its operation. And they are susceptible to committing errors, accepting bribes and falling prey to blagging. In the case of M&S, it appears the cyber criminals committed what is referred to in the jargon as a "social engineering" offence, which really means manipulating people into sharing passwords they shouldn’t.

Typically, this can be:

  • phishing and spear phishin: sending fraudulent emails claiming to be from a reputable source or scouring the user’s social media to build up personal detail to make an email – from a gym, say – look all the more believable;
  • vishing and smishing: same as the email but using voice or SMS;
  • pretexting: setting up a scenario in which the data owner hands over information under false pretences;
  • baiting: offering something enticing, such as a gift card, to lure users to exchange that all-important detail;
  • tailgating and piggybacking: closely following an authorised user to gain unauthorised access or persuading them to allow access by holding the door open. as it were;
  • quid pro quo: providing a trade or service for the code; for example, calling a company and pretending to be from the IT department trying to reach someone with a technical issue.

These are the most popular six. There are others. Merely listing them is exhausting and gives a flavour of the threat and degree of sophistication companies must counter. Now, multiply that number many times for the total of attempts made daily at piercing open, say, a major bank or consumer-facing seller. As a senior executive at a global investment bank executive said, they must defeat thousands every single day. It was like being circled constantly by hordes of insects looking for any weakness, any way in.

The IRA issued a statement after the Brighton bombing that almost killed prime minister Margaret Thatcher in 1984: "Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always."

A customer uses their phone to pay inside a Marks & Spencer store in London. Bloomberg
A customer uses their phone to pay inside a Marks & Spencer store in London. Bloomberg

That’s how it is for corporations conducting a never-ending battle. And it is ceaseless and relentless – instantly, as one barrier is erected another crack will be found. Probably, in order to function effectively, somewhere it will entail human fragility.

After the M&S break-in, thought to have been carried out by an affiliation of UK and US hackers calling themselves Scattered Spider, the National Cyber Security Centre issued new guidance to combat the technique used. It recommends that organisations "review help desk password reset processes" and pay particular attention to "admin" accounts, which generally have more access throughout a company’s network.

That will necessitate the introduction of further steel gates, but will it be enough? It could make a difference but it will not be sufficient. Where people ultimately hold the keys, nothing is.

What is alarming is how Scattered Spider and its ilk can put distance between themselves and the crime. They smash the window, dig the tunnel or bribe the guard – take your pick – but leave the actual disabling and extorting of a ransom to others. They pass those on and leave the scene. So, the folks that the company is forced to deal with are not those who broke in. That makes them all the harder to trace.

Caesars Palace Las Vegas Hotel and Casino. Getty Images
Caesars Palace Las Vegas Hotel and Casino. Getty Images

The problem is that companies do deal. They do not like to admit so but they have no choice. Scattered Spider came to attention in September 2023 when MGM Resorts and Caesars Entertainment casino groups in Las Vegas saw their accounts locked. Caesars reputedly handed over about $15 million to have them freed. Companies elsewhere have also paid up in order effectively to be allowed to resume their business.

One solution, as it is with kidnapping, is to deny the means, to not pay. But as with the holding of a person, that requires enormous courage and risk of death.

Another is to pour extra resourcing into policing, to investigating and pursuing. But that requires funding and expertise that many police forces do not have and crucially, it depends on the close, international co-operation between countries, of them coming together to agree to stamp out the villains and, critically, meaning it. We are far from achieving that.

Unfortunately, until we do, there will be further claims of installing foolproof fencing and more chief executives discovering that isn’t true and receiving that late-night call they now dread the most from the IT department.

UAE currency: the story behind the money in your pockets
Company%20Profile
%3Cp%3E%3Cstrong%3EName%3A%20%3C%2Fstrong%3EDirect%20Debit%20System%3Cbr%3E%3Cstrong%3EStarted%3A%3C%2Fstrong%3E%20Sept%202017%3Cbr%3E%3Cstrong%3EBased%3A%3C%2Fstrong%3E%20UAE%20with%20a%20subsidiary%20in%20the%20UK%3Cbr%3E%3Cstrong%3EIndustry%3A%3C%2Fstrong%3E%20FinTech%3Cbr%3E%3Cstrong%3EFunding%3A%3C%2Fstrong%3E%20Undisclosed%3Cbr%3E%3Cstrong%3EInvestors%3A%3C%2Fstrong%3E%20Elaine%20Jones%3Cbr%3E%3Cstrong%3ENumber%20of%20employees%3A%3C%2Fstrong%3E%208%3Cbr%3E%3C%2Fp%3E%0A
Dust and sand storms compared

Sand storm

  • Particle size: Larger, heavier sand grains
  • Visibility: Often dramatic with thick "walls" of sand
  • Duration: Short-lived, typically localised
  • Travel distance: Limited 
  • Source: Open desert areas with strong winds

Dust storm

  • Particle size: Much finer, lightweight particles
  • Visibility: Hazy skies but less intense
  • Duration: Can linger for days
  • Travel distance: Long-range, up to thousands of kilometres
  • Source: Can be carried from distant regions

Mercer, the investment consulting arm of US services company Marsh & McLennan, expects its wealth division to at least double its assets under management (AUM) in the Middle East as wealth in the region continues to grow despite economic headwinds, a company official said.

Mercer Wealth, which globally has $160 billion in AUM, plans to boost its AUM in the region to $2-$3bn in the next 2-3 years from the present $1bn, said Yasir AbuShaban, a Dubai-based principal with Mercer Wealth.

Within the next two to three years, we are looking at reaching $2 to $3 billion as a conservative estimate and we do see an opportunity to do so,” said Mr AbuShaban.

Mercer does not directly make investments, but allocates clients’ money they have discretion to, to professional asset managers. They also provide advice to clients.

“We have buying power. We can negotiate on their (client’s) behalf with asset managers to provide them lower fees than they otherwise would have to get on their own,” he added.

Mercer Wealth’s clients include sovereign wealth funds, family offices, and insurance companies among others.

From its office in Dubai, Mercer also looks after Africa, India and Turkey, where they also see opportunity for growth.

Wealth creation in Middle East and Africa (MEA) grew 8.5 per cent to $8.1 trillion last year from $7.5tn in 2015, higher than last year’s global average of 6 per cent and the second-highest growth in a region after Asia-Pacific which grew 9.9 per cent, according to consultancy Boston Consulting Group (BCG). In the region, where wealth grew just 1.9 per cent in 2015 compared with 2014, a pickup in oil prices has helped in wealth generation.

BCG is forecasting MEA wealth will rise to $12tn by 2021, growing at an annual average of 8 per cent.

Drivers of wealth generation in the region will be split evenly between new wealth creation and growth of performance of existing assets, according to BCG.

Another general trend in the region is clients’ looking for a comprehensive approach to investing, according to Mr AbuShaban.

“Institutional investors or some of the families are seeing a slowdown in the available capital they have to invest and in that sense they are looking at optimizing the way they manage their portfolios and making sure they are not investing haphazardly and different parts of their investment are working together,” said Mr AbuShaban.

Some clients also have a higher appetite for risk, given the low interest-rate environment that does not provide enough yield for some institutional investors. These clients are keen to invest in illiquid assets, such as private equity and infrastructure.

“What we have seen is a desire for higher returns in what has been a low-return environment specifically in various fixed income or bonds,” he said.

“In this environment, we have seen a de facto increase in the risk that clients are taking in things like illiquid investments, private equity investments, infrastructure and private debt, those kind of investments were higher illiquidity results in incrementally higher returns.”

The Abu Dhabi Investment Authority, one of the largest sovereign wealth funds, said in its 2016 report that has gradually increased its exposure in direct private equity and private credit transactions, mainly in Asian markets and especially in China and India. The authority’s private equity department focused on structured equities owing to “their defensive characteristics.”

More from Neighbourhood Watch:
SERIE A FIXTURES

Saturday (All UAE kick-off times)

Cagliari v AC Milan (6pm)

Lazio v Napoli (9pm)

Inter Milan v Atalanta (11.45pm)

Sunday

Udinese v Sassuolo (3.30pm)

Sampdoria v Brescia (6pm)

Fiorentina v SPAL (6pm)

Torino v Bologna (6pm)

Verona v Genoa (9pm)

Roma V Juventus (11.45pm)

Parma v Lecce (11.45pm)

 

 

Updated: May 07, 2025, 5:19 AM