What the Marks & Spencer Breach Tells Us About the Next Era of Identity Attacks
A Scattered Spider attack exploited systemic service desk flaws and weak privileged access controls. Here’s how to shut the door for good.
When news broke that Marks & Spencer was compromised in a ransomware campaign tied to Scattered Spider, many assumed it was a case of internal failure. But the truth is more complex, and more concerning for retail CISOs everywhere.
M&S, like many retailers, relied on a third-party IT provider to manage service desk operations. According to multiple forensic reports, Scattered Spider deliberately targeted this provider due to systemic weaknesses in their service desk processes, then leveraged privileged access to pivot into client environments — including M&S.
In short: the attackers didn’t hack the retailer. They walked through a door left open by the service provider.
The breach went undetected for months after the initial February compromise, culminating in DragonForce ransomware encrypting VMware ESXi hosts on April 24th. The aftermath has been devastating: more than $400 million in lost profit and more than $1 billion wiped from M&S’s stock market value.
The Supply Chain Identity Problem Is Getting Worse
This isn’t an isolated incident. By early May, luxury department store Harrods and fashion retailer Dior had been targeted in cyberattacks, while Danish food giant Arla Foods was hit mid-May. The M&S, Co-op, and Harrods attacks have been linked to similar tactics, suggesting a coordinated campaign against UK retailers.
What makes these attacks so dangerous isn’t sophisticated malware or zero-day exploits. It’s the abuse of legitimate access and trust relationships. Scattered Spider is believed to be a decentralized network composed largely of native English-speaking young people who coordinate in real-time over Discord, Telegram, and underground forums, using social engineering rather than technical hacking.
The M&S breach follows a predictable pattern: compromise a service provider with weak identity controls, inherit their privileged access to client environments, then move laterally to deploy ransomware. What’s particularly troubling is how the attackers used SIM swapping to bypass traditional forms of multifactor authentication (MFA), then tricked IT help desks to gain deeper access.
Once inside, they exploited M&S’s Microsoft Active Directory to gain broad system access — a classic case of authentication bypass leading to total compromise.
Why This Matters for Retail CISOs
Retail environments are sprawling, fast-moving, and heavily reliant on third-party IT providers. Unlike organizations in financial services or healthcare, retailers often lack the security hardening that comes with heavy regulation.
This breach is a textbook case of supply chain identity compromise — where attackers bypass perimeter defenses by exploiting trust and privilege in the authentication chain. Traditional MFA, VPNs, and endpoint security can’t stop an attacker who already has legitimate vendor access.
The financial impact extends far beyond immediate losses. According to a recent survey, more than 60% of consumers would stop shopping with a brand that suffered a security incident, while IBM estimates the average cost of a data breach is now $4.88 million per incident.
How Modern Identity-Based Authentication Stops These Attacks
As the M&S breach demonstrates, authentication built around credentials, devices, or even basic biometrics isn’t enough. Attackers can steal credentials, compromise devices, and even register fraudulent biometrics if they have administrative access.
The solution requires identity-based authentication that verifies the human behind every login, not just what they possess or know. Here’s how 1Kosmos addresses the three critical vulnerabilities exposed in the M&S breach:
1. Identity-First Authentication — Not Just Credentials
Traditional MFA relies on “something you know, something you have, something you are.” But Scattered Spider has proven they can compromise all three. Anyone with administrative access or successful SIM swap can register things like user biometrics to any device—or set up an alternative identity provider to bypass authentication measures altogether.
1Kosmos takes a different approach. Our platform uses machine-verified identity proofing tied to government-issued credentials, combined with live biometric verification that detects presentation attacks including deepfakes. The private key of a matched public-private pair in the user’s device serves as the possession factor, while a live facial scan provides the inherence element — with 99.9% accuracy in confirming the authorized user’s identity.
2. Verified Privileged Access Controls
In the M&S breach, TCS allegedly handed over privileged access without proper verification processes. With 1Kosmos, privileged access cannot be granted without a re-authenticated, identity-verified session, regardless of the requesting party’s VPN connection or claimed authority.
Our solution integrates with existing privileged access management systems to ensure every high-risk action requires fresh identity verification — not just inherited trust from a service provider.
3. Zero Trust Extended to Vendors
The traditional model of trusting third-party service desks is fundamentally broken. 1Kosmos enforces continuous identity assurance and step-up authentication based on risk, device, location, and behavior — even for trusted service providers.
This approach would have prevented the M&S breach by requiring fresh identity verification for any privileged actions, regardless of TCS’s existing access agreements.
The Bottom Line: Retailers Can’t Afford to Outsource Trust
The M&S breach isn’t just a cautionary tale — it’s a preview of what’s coming for every retailer that hasn’t modernized their identity infrastructure. Google was warning there are signs Scattered Spider may be moving on from UK retailers and pivoting to direct cyber-attacks against retail sector targets in the US.
As these attacks demonstrate, your security is only as strong as your weakest vendor’s identity controls. Traditional authentication methods that rely on credentials, devices, or basic biometrics simply can’t defend against social engineering attacks that compromise the authentication process itself.
1Kosmos provides the only NIST, FIDO2, and FedRAMP High certified platform that combines indisputable digital identity proofing with advanced biometrics and passwordless authentication. Our solution ensures that every access request, whether from employees, contractors, or vendors, is verified against a live human identity, not just inherited trust relationships.
The next supply chain attack is already being planned, and they’re counting on inherited trust to get them in.
Ready to modernize your identity infrastructure? Contact us today to learn more.
