I recently posted an article about the importance of data protection, specifically unstructured data.

In addition, I have previously shared my perspective regarding FIDO2 and Passkeys, deployed as a mechanism to remove the reliance on passwords, whilst enabling phishing-resistant authentication.

Recognising the ever-evolving threat landscape and growth in advanced social engineering tactics, I believe these two areas should be prioritised by all individuals and businesses. They do not guarantee safety but would offer significant protection against the impact of this common threat vector.

As a recent example, approximately three weeks ago, Marks and Spencer (M&S) was hit by a cyberattack, which disrupted operations at their retail stores, forced them to suspend online sales and disclose the loss of personal data covering their 9.4 million active customers.

For those that do not know, Marks and Spencer is a major British multinational retailer (founded in 1884), selling clothing, beauty products, home products and food.

At the time of writing, Marks and Spencer are still unable to accept online orders, costing them an estimated £43m a week in lost sales, alongside a share drop of 12%. This does not take into consideration the brand damage, legal/compliance ramifications and significant unplanned investment to recover and fortify their infrastructure.

The full details of the attack are yet to be disclosed publically. However, it is understood that the origin of the attack was social engineering, with an adversary contacting the Marks and Spencer IT Service Desk and convincing the support agent to reset a password on an account. With this access, the adversary was able to steal and encrypt data, crippling operations and forcing a ransom demand.

Marks and Spencer have published a dedicated page focused on the cybersecurity incident. The BBC also has additional details, including advice for anyone impacted by the data loss.

I empathise with the IT and Information Security teams at Marks and Spencer and I hope they are receiving the appropriate support as they work through the details of this high-profile incident.

Finally, let this be a warning to everyone, especially businesses. We must all continue to proactively engage and invest in cybersecurity, ensuring protections are “right-sized” against the risks, with a focus on continuous improvement, including awareness and education.