In recent months, it feels like every week a new retailer discloses a breach. From high-end retailers to high street favorites, no retail organization is off-limits for hackers.
In Q2 2025, publicly disclosed ransomware attacks targeting the retail sector globally surged by 58% (compared to Q1), with UK businesses taking the brunt.
Senior Product Manager at Specops Software.
While the scope, scale and impact of each breach varies, the potential consequences can be devastating and wide ranging, including potential loss of revenue, disruption to services and/or reputational damage.
This begs the question: is it a coincidence that so many retailers are being hacked? And just how are hackers infiltrating these organizations?
In many of these cases, the answer lies at the very service desks where employees and customers seek help.
Deconstructing the M&S Cyberattack
Take the recent cyberattack against British retail giant Marks & Spencer (M&S). M&S are a cornerstone of the British high street, employing over 64,000 people at more than 1,000 stores nationally.
Attackers (thought to be from the hacking group Scattered Spider) reportedly infiltrated M&S’s IT system as early as February, deploying ransomware that encrypted critical systems and disrupted operations across all stores.
To enter the system, cybercriminals posed as legitimate employees to deceive the IT help desk into resetting passwords and disabling multi-factor authentication (MFA).
This provided attackers access to sensitive internal systems, where they stole a critical file containing password hashes from M&S’s Active Directory.
The hack also significantly disrupted business operations, leading to a five-day suspension of online sales, averaging £3.8 million in daily losses, and caused a more than £500 million drop in the company’s stock market value.
This attack M.O. mirrors other recent high-profile breaches, notably ones against other UK retail organizations such as Co-op and Harrods. In the Co-op cyberattack, cybercriminals impersonated employees to trick IT staff into resetting passwords.
While Co-op successfully prevented a complete ransomware deployment by proactively shutting down portions of its IT infrastructure, significant operational disruption occurred, the same as with M&S, showing that even a partially successful breach can have wide-ranging impacts.
The Anatomy of a Service Desk: What Makes Them Prime Targets?
Service desks often hold privileged access to critical IT systems, including the ability to manage user accounts, reset passwords, and alter MFA settings. By utilizing psychological manipulation, cybercriminals can make their social engineering attempts highly credible.
As a result, service desk staff, who prioritize customer service and efficiency, may fall for these requests which can truly appear legitimate. However, service desks are often left behind in the conversation on cybersecurity.
Service desks are often forgotten when it comes to cybersecurity because they’re viewed as reactive support, not proactive defense. Their focus on quick issue resolution, coupled with a lack of specialized security training, leads to frontline staff potentially missing subtle signs of cyberattacks like phishing or social engineering.
This oversight creates a critical vulnerability, as the service desk acts as a prime target and crucial ‘human firewall’, often being the first point of contact for a breach. Neglecting them in security strategies can severely compromise an organization’s overall defense.
So, how can business leaders protect their organizations and service desks?
Protecting the Service Desk: Mitigating Incidents Proactively
Proactive security continues to reign supreme when it comes to mitigating attacks. Despite being a reactive service, business leaders must seek to proactively secure service desks to keep ahead of any incidents.
With the flurry of cyber attacks on British retailers, the potential impact can be devastating. One thing is clear, now is the time to secure the service desk.
Organizations with service desks, in the retail sector and otherwise, can protect themselves from similar attacks with the following best practices:
– Implement robust verification processes of the callers and make sure your IT desk agents have the support they need to fight back against social engineering.
– Enforce modern password-policies which require minimum 15-character passwords for users or minimum 30-character passwords for service accounts. The easiest way to do this is through easy-to-remember passphrases.
– Encrypt and secure all critical systems backups, especially Active Directory database backups. With offline backups, organizations can recover in the case of a ransomware attack without paying ransom. These backups must be stored offline and regularly tested for integrity.
– Detect and contain lateral movement to buy IT response time. By monitoring detailed AD logs to spot abnormal actions, organizations can be proactively prepared to respond to incidents.
– Tightly control privileged accounts to reduce access to protected information across the board.
– Always monitor AD password activity to remain knowledgeable of unusual changes or suspicious actions.
– Enable MFA for all accounts – this should be a strict requirement. While MFA on web applications is increasingly common, it’s crucial not to overlook MFA at the login screen, which is often missing. True MFA, not just a convenient PIN, combined with Just-In-Time (JIT) privileged access, significantly reduces the risk of “pass-the-hash” and credential stuffing attacks.
– Invest in specialized and up-to-date security training for any internal service desk employees. This ensures that employees are equipped with the knowledge to spot a potential cyber incident, as well as empower them to flag anything that appears suspicious.
– Vet any third-party service desk organizations, in the same way that you would with other third-parties. Ensure that these organizations have robust security practices.
Implement and enforce the use of a Self Service Password Reset. If the Service Desk (SD) can not handle password resets, they become less vulnerable to manipulation.
This not only enhances security but also streamlines the process for users, reducing the burden on support teams and minimizing the risk of unauthorized access.
Revaluating Security Strategies
The recent attacks on M&S, Co-op, and Harrods exemplify the increasing sophistication of service desk attacks in particular targeting major retailers. As a result, retailers must reassess their cybersecurity strategies with a special focus on the human-element of their defenses.
Service desks play a critical role in overall cybersecurity, as does the security of the Active Directory. Investing in advanced training, robust verification processes, and proactive threat detection tools are essential steps for organizations to defend against future attacks like these.
As the fallout from the M&S, Co-op, and Harrods attacks continue to unravel, showing the increasing scope of impact, it is more important than ever for companies of all sectors and sizes to secure their service desks, their Active Directories, and remain on guard for suspicious activity. We cannot control who ransomware gangs target, but we can control our response.
We list the best identity management solution.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
