Connect with Us!
Subscribe to receive new blog post from PureID in your mail box
The £650M Mistake: M&S Breach Breakdown
The On-the-Job Hack That Shook a Retailing Goliath
Consider this. You get a call from one of your co-workers. He's locked out, needs a password reset, and sounds precisely like all the others you deal with daily. You press some keys to reset it. Job done. Behind that voice, though, is a hacker, and a few hours later, the company loses hundreds of millions.
This is exactly how attackers brought Marks and Spencer to its knees. The attack wasn't the result of advanced malware or brute-force attacks. It was founded on trust, rapid chatter, and human error. Welcome to social engineering.
What Occurred at M&S
1. The Entry Point: Manipulation of Help Desk
Attackers posed as employees and convinced IT support staff to reset passwords.
No evil code, just believable lies and a sense of urgency.
Result: Instant access to in-house systems.
2. The Damage
Inside, the attackers:
- Enjoyed admin-level access
- Installed the DragonForce ransomware
- Locked up virtual machines
- Topped online orders and payments
M&S lost £650 million in value overnight. Their business online ground to a halt. Hundreds of staff were let go.
3. Not a One-Time Trick
Other large firms fell in the same way:
| Company | Entry Method | Group | Known Impact |
| MGM Resorts | Help desk spoofing | Scattered Spider | $100M+ revenue loss |
| Caesars | Social engineering | Scattered Spider | $15M ransom paid |
| Co-op | Password reset scam | DragonForce | 20 Million Customer data leaked |
| Harrods | Identity spoofing | DragonForce | System outages |
| M&S | Help desk deception | Scattered Spider | £650M market loss |
The Core Issue: Passwords Still Break Everything
Even more recent approaches like passkeys fall back on passwords. Hackers exploit this by attacking the human element, not the technology. If help desks are susceptible to deception, passwords can be reset. If passwords can be reset, attackers can walk in.
How PureAuth Stops It
PureAuth stops this attack chain by:
- Removing password fallbacks entirely
- Stopping help desk resets
- Refraining from admin privilege abuse
There is no social trick that can bypass actual behavior analysis.
Final Thought: Hackers Don't Crack Systems, They Fool People
M&S didn't lose millions because of insecure software. They lost it because someone followed regular help desk protocol.
That's the danger. That's the fix.
Secure people, not passwords.
PureAuth protects against a world where attackers launch their first compromise with a phone call.
Read More
Privacy Beyond Customers: Why Comprehensive IAM Matters for Everyone