Hackers did not hack the system — but the man: the example of M&S and Co-op is a warning to all of us

In the spring of 2025, two iconic British retail brands, Marks & Spencer and Co-op, became the target of a well-organized yet surprisingly simple cyberattack. The perpetrators were not looking for elaborate exploits or hidden back doors. Instead, they exploited the human factor — more specifically, the naivety of IT helpdesk workers and the overconfidence of organizations. The incident was not only painful for the victims: it has lessons for the entire industry.

A Tamedaisiesduring the course of the hackers — a group of mostly young, English-speaking criminals called Scattered Spider —”social engineeringThey used the technique. Through deception and manipulation, IT employees have been able to reset the passwords of some workers — or at least those who appear to be so. With this, they have access to the internal systems of the companies. In the case of Co-op, this led directly to unauthorised access to customer data, while at M&S hundreds of contract workers had to be sent home and the company's value fell by £650 million in a matter of days.

This case is a perfect example of even the most advanced technological protection is scarce if workers are not prepared for the most common and tricky forms of attack.

Why is this important? Because there was not a technological, but an organizational and human omission

The attackers didn't hack a system — they simply “entered the door” that the victim had opened for them. They didn't crack a password, they didn't use any malicious code — they just made an IT worker believe they had access.

Today, this method — social engineering — is one of the most commonly used forms of attack, yet it is underestimated by many organizations. Companies spend significant resources on firewalls, endpoint protection, and security monitoring, while the weakest link in the chain — humans — gets little attention. A convincing email, a phone call or a fake internal chat message is enough to bring a multi-billion pound company to its knees.

The root of the real problem: weak password recovery protocols and poorly authenticated helpdesk processes

The NCSC (National Cyber Security Center) reacted quickly: it issued new guidelines for reviewing helpdesk processes. They stressed that all companies need to think about how they authenticate those who want to reset their passwords — especially for accounts with administrative privileges. This is because through them, attackers can paralyze the entire corporate infrastructure or even blackmail the victim.

Tips include introducing multi-factor authentication, using specific password recovery code words (such as “BluePenguin” proposed in the security community), and monitoring for suspicious login attempts (such as night login or accessing from an unusual geographic location).

The Scattered Spider: Decentralized but Dangerous

The Scattered Spider is not a classic, hierarchical organization, but rather a loose but well-organized group of young people who organize attacks via Discord, Telegram. Their name evokes the “devil's net”: the attack does not start from one center, but from many small but effective threads. The group became notorious as early as 2023, when the systems of Caesars Entertainment and MGM Resorts were locked down, demanding a multi-million dollar ransom.

British events point out that the target can no longer be just financial or industrial giants — but any organisation that has significant data assets or digital operations but does not have adequate protocols built for human defence.

Prevention: it is not a technological miracle weapon, it must be a cultural change

The most important message that can be deduced from this case: it is not enough to think in technology. There needs to be a culture change within organizations.

Cybersecurity is not (just) an IT task — it is also a business, legal, HR and communications responsibility. This is because the defense against social engineering is effective if employees understand why an email is dangerous, if the helpdesk knows how to reliably identify callers, and if admin rights can only be managed according to the strictest protocol.

This also includes the need for regular training of all employees, whether customer service, IT or manager. It is not enough to sign a GDPR notice once a year. It is possible to develop real vigilance through lifelike, simulated attacks, testing, and analysis of recent examples.

The next 'BluePenguin' could already be on the line

This attack confirmed once again: it is not technology that will win the cyber war for us, but the training of workers. The question is not “will we be attacked?” but “when?” and “how do we prepare for it?”

Every company, institution, company manager must act now. We encourage all responsible leaders to examine itlIT helpdesk protocols, train employees, and see: defending against social engineering is not a cost — it's an investment in survival.

And the next time someone calls the helpdesk and says, “I forgot my password, BluePenguin was my code word,” there may already be someone suspicious. And this in itself is a step in the right direction.

Author:
D. László István
Head of Cybersecurity, United Consult Group