Lessons From Recent Cyberattacks
In the past month, a series of high-profile cyberattacks struck companies that many of us know and trust: high-street retailers like Marks & Spencer (M&S), the Co-Op and Harrods, a luxury brand icon like Cartier, and even Coinbase – one of the world’s largest cryptocurrency exchanges. These incidents spanned different industries (retail apparel, grocery, luxury goods, fintech) but they have something important in common: they reveal how modern attackers mix and match techniques to exploit weaknesses in any enterprise. This article dissects what happened in these breaches and, crucially, what we can learn from the attackers’ tactics, techniques, and procedures (TTPs). We’ll reference the MITRE ATT&CK framework to identify likely techniques used – and provide prevention strategies so your organization doesn’t become the next headline. From phishing and social engineering to exploiting vulnerable web apps and insider threats, these cases cover a gamut of attack vectors that all businesses should be prepared to defend against.
Case 1: M&S, Co-Op, Harrods – Ransomware Hits UK Retail
What Happened: In late April 2025, British retail giant Marks & Spencer began suffering IT disruptions – customers couldn’t place online orders and store shelves went unstocked. Within days, it became clear M&S was the victim of a major cyber “incident” that later was confirmed as a ransomware attack. The attack also touched other retailers: the supermarket chain Co-Op reported an attempted breach the same week, and luxury department store Harrods had to investigate a similar cyber intrusion. A hacking group known as Scattered Spider (aka “Octo Tempest”) is believed to be behind these attacks. M&S had to suspend all online orders for weeks – from April 25 well into May – causing an estimated daily revenue loss of £3.8 million. By early May, over £700M ($930M) of M&S’s market value was wiped out as news of the breach spread. The company later admitted some customer data was stolen (names, contact info – thankfully no payment details).
Attacker Tactics: Scattered Spider’s tactics were a blend of social engineering and technical exploits. According to reports, the initial intrusion at M&S likely came via one of its contractors – attackers posed as an M&S staff member and tricked an external IT helpdesk employee into revealing credentials. In MITRE ATT&CK terms, this is Phishing (T1566) and also reflects a Trusted Relationship (T1199) exploitation – abusing the connection between M&S and its IT support provider. The attackers then deployed ransomware (identified in media as “DragonForce” malware) to encrypt systems across M&S and Harrods. Ransomware deployment involves multiple ATT&CK techniques: after initial access, they likely used Credential Dumping (T1003) and Lateral Movement (TA0008) through the network, then executed file encryption for impact – Data Encrypted for Impact (T1486). Notably, MFA fatigue attacks (sending repeated multi-factor auth requests) and even SIM swapping were mentioned as part of Scattered Spider’s arsenal, highlighting their focus on bypassing authentication – Valid Accounts (T1078) and Multi-Factor Authentication Abuse. The Co-Op’s quick response – they proactively shut down parts of their IT when an intrusion attempt was detected, limiting damage – suggests that early detection can thwart the kill chain before ransomware deployment.
Impact: These attacks disrupted business operations severely. M&S’s e-commerce was down for over three weeks,, a critical blow when online sales comprise a significant chunk of revenue. Even in-store logistics were affected (reports of empty shelves and halted warehouse work). The financial hit was enormous – up to £300M in profit impact projected – and the reputational damage of being plastered across news headlines cannot be overstated. Harrods, being privately owned, didn’t disclose losses, but any ransomware event in a high-profile luxury store likely erodes customer confidence.
Lessons & Mitigations: For retailers and others, the M&S incident underlines third-party risk management – you must extend security awareness to contractors and partners. Regularly vet and train the contractors who have access to your systems (in this case, helpdesk personnel should be drilled to verify identities and spot social engineering). Implement stringent access controls for vendor accounts (least privilege and maybe time-bound access). Technically, network segmentation could limit ransomware spread – if M&S’s online ordering systems were segmented from core inventory systems, for example, the impact might have been lessened. Also, invest in Incident Response planning: M&S’s prolonged downtime hints at recovery challenges. Having reliable, tested backups and a practiced recovery plan can drastically reduce downtime after ransomware. Finally, user-focused defenses like phishing training and phishing-resistant MFA (FIDO2 keys) help prevent that initial foothold. Since Scattered Spider also leveraged MFA fatigue, companies should consider solutions that detect and block multiple rapid-fire push attempts or use number-matching MFA to thwart automated attacks.
Case 2: Cartier – Cloud Storage Breach via LFI
What Happened: In August 2024, Cartier, the French luxury jeweller, suffered a breach that illustrated how even glamorous brands aren’t immune to mundane web vulnerabilities. According to breach reports, attackers compromised Cartier’s AWS cloud storage (S3 buckets) by exploiting a Local File Inclusion (LFI) vulnerability. This allowed them to retrieve sensitive files from Cartier’s servers that should not have been public. The data leaked included proprietary information like source code and images of unreleased products. The attackers (who went by handles like “IntelBroker” on hacking forums) posted proof of the breach on BreachForums and attempted to sell the stolen data. While this wasn’t a ransomware scenario, it was a serious data breach – exposing Cartier’s internal assets and plans, which could be devastating for a luxury brand’s competitive edge and reputation.
Attacker Tactics: The key flaw here was a Web Application vulnerability – specifically LFI. In MITRE terms, this falls under Exploit Public-Facing Application (T1190) as the initial access. An LFI vulnerability means the web app allowed the attacker to read files on the server (and possibly traverse directories). The attackers likely discovered an insecure parameter or endpoint on Cartier’s website that wasn’t properly validating input, enabling them to fetch AWS credentials or configuration files. Once they had AWS access (for example, an exposed AWS key in a config file), they could directly access cloud storage buckets. This shows a chain of attack: web app exploit → cloud compromise. Techniques used likely include File and Directory Discovery (T1083) – reading various files to find something juicy – and Data Staged (T1074) followed by Data Exfiltration (TA0010) once they got into S3 buckets. Because the breach was revealed by the attackers themselves on a forum, it’s clear this was financially motivated (data theft for resale).
Impact: For Cartier, the immediate impact was loss of sensitive data – including intellectual property (designs, source code) and potentially customer info if any was stored there. Even though it wasn’t publicized as widely as the M&S incident, such a breach can erode trust with customers and partners. It also highlighted a cloud security lapse: an AWS storage should have been tightly secured and not accessible due to a simple web flaw. Cartier likely had to conduct a security review of all web applications and cloud configurations, and might have faced regulatory scrutiny if any personal data was involved.
Lessons & Mitigations: Cartier’s breach teaches the importance of secure software development and cloud configuration. To prevent LFI and similar bugs, organizations should enforce secure coding practices and do regular code reviews and penetration testing on web apps. A web application firewall (WAF) might catch some injection or inclusion attacks, but fundamentally the code needs to handle inputs safely. On the cloud side, employing the principle of least privilege for cloud credentials is crucial – even if an attacker finds an AWS key, it should ideally have limited access (e.g., not full admin to all S3 buckets). Also, monitor your cloud: use AWS CloudTrail and GuardDuty for unusual access patterns (like large data downloads or access from strange IPs). MITRE-wise, techniques like Cloud Storage Object Discovery and Data Exfiltration to Cloud Storage should be in your detection playbook. Lastly, consider bug bounty programs or third-party app assessments – an ethical hacker might have found the LFI before the bad guys, giving Cartier a chance to fix it quietly.
Case 3: Coinbase – Bribery and the Insider Threat
What Happened: In May 2025, Coinbase revealed a bold social engineering plot that led to a breach of its customer data. Rather than exploit a technical flaw, attackers went after people – specifically, third-party customer support agents contracted by Coinbase in India. These threat actors bribed a handful of support staff, reportedly paying them to surreptitiously collect user information. Over some time, the rogue insiders provided the attackers with lists of Coinbase customers and other sensitive data that could be leveraged for fraud. On May 11, the attackers attempted to extort Coinbase for $20 million, threatening to leak or misuse the stolen customer data. Coinbase refused to pay – instead, they went public about the incident on May 15 and even offered a $20M reward for information leading to the attackers. Fortunately, Coinbase confirmed that no account passwords, cryptographic keys, or funds were stolen; the breach was limited to personal data and some account info. They also promised to reimburse any customers affected by related fraud.
Attacker Tactics: This is a classic Insider Threat scenario combined with social engineering. The external attackers essentially turned support employees into assets. Under ATT&CK, this can be mapped to Trusted Relationship (T1199) as well, in that the attackers capitalized on the trust and access that support agents have. The bribery aspect doesn’t have a direct ATT&CK technique (it’s more a tactic), but the outcome was that the attackers obtained Valid Accounts (T1078) or at least valid session data of users, which they could then use for further social engineering (phishing those users, etc.). We can infer some techniques: the agents likely had access to Coinbase’s customer support tools, which might show customer email, name, maybe recent transactions – prime data for targeted Phishing (T1566) campaigns against those customers. The attempted extortion is an Impact stage action – analogous to ransomware groups stealing data and demanding payment (except here no ransomware, just pure extortion). This aligns with Data Extortion (TA0040) in MITRE’s impact tactics. The fact that Coinbase detected and stopped this (and chose not to pay) suggests they might have noticed abnormal data queries by support staff or were tipped off.
Impact: While no cryptocurrency was stolen, the breach undermined customer confidence. Coinbase users entrust the platform with sensitive financial info and assets, so learning that insiders were compromised is unsettling. There’s also a potential compliance/regulatory impact – many jurisdictions require disclosure of breaches involving personal data. Financially, Coinbase estimated the incident could cost up to $180–400 million in investigations, enhancements, and customer protection measures. However, by taking a firm stance (refusing the extortion and being transparent), Coinbase may have mitigated some reputational harm. It’s also worth noting the broader implication: if attackers find it hard to hack your tech directly, they will target the humans with access to it.
Lessons & Mitigations: Coinbase’s incident is a case study in why insider risk programs are essential. First, companies should implement robust background checks and continuous monitoring for roles with access to sensitive data (like customer support). While you can’t eliminate the possibility of bribery, you can set up controls where one agent alone cannot siphon large amounts of data unnoticed (Separation of Duties control). Monitor for anomalous access patterns in support tools – e.g., an agent looking up far more accounts than average, or accessing data outside of normal job hours, should raise flags (User Behavior Analytics comes into play). Limiting data access is key: do support agents really need to see full personal details or just a subset to do their job? Reducing the data visible on screen reduces the prize for a corrupt insider. Encourage a culture where employees can report suspicious approaches – those agents were contacted and bribed; had one reported the attempt to management, the breach might have been stopped earlier. Technically, implementing fine-grained audit logs (who accessed what data) and deploying alerts for bulk queries can detect such insider-led data exfiltration (MITRE technique: Data from Information Repositories – T1213 could apply, as they accessed data from databases). Lastly, the incident underlines the importance of Zero Trust, not just between network segments but among user roles: never fully trust that an authenticated employee won’t abuse the system, hence continuously verify and validate their actions.
Attacker Techniques Mapped (MITRE ATT&CK)
Across these cases, attackers employed a wide range of TTPs. Here are some of the notable techniques (with MITRE IDs) evident in these incidents:
Phishing and Social Engineering (T1566): Used in M&S/Harrods (phishing employees and contractors) and likely in Coinbase (phishing customers post-breach). Also how Scattered Spider obtained initial creds (phishing, MFA fatigue).
Valid Accounts (T1078): Once credentials or access tokens were obtained (through phishing or bribery), attackers used legitimate accounts to log into systems (Coinbase’s support portal misuse, M&S contractor account). This allows them to blend in as normal users.
Exploit Public-Facing Application (T1190): Seen in Cartier’s case via the web vulnerability. Any internet-exposed app (websites, APIs) can be an entry if vulnerable.
Lateral Movement (TA0008 tactics): Particularly in ransomware cases, attackers likely moved laterally through corporate networks – using techniques like Windows Admin Shares (T1077) or Remote Services (T1021) – to spread ransomware widely.
Credential Dumping (T1003): On Windows networks (M&S/Harrods), ransomware operators often dump password hashes from memory or the SAM database to escalate privileges. Scattered Spider might have done this to move from an initial foothold to domain admin.
Data Encrypted for Impact (T1486): The core of the ransomware impact – encrypting files on M&S/Harrods systems to render them unusable.
Data Exfiltration (TA0010): Before encryption, modern ransomware gangs exfiltrate data to use for double extortion. M&S did confirm data theft, so attackers likely used techniques like Automated Exfiltration (T1020) or Exfiltration Over Web Protocol (T1041) to send data out.
Data from Cloud Storage (T1530): In Cartier’s case, once they had cloud access, attackers grabbed data from S3 buckets. This is a specific vector where cloud misconfiguration can lead to bulk data theft.
Internal Spearphishing (T1534): There’s a chance that after getting initial access at M&S, Scattered Spider sent internal phishing emails to escalate (common in many breaches), though unconfirmed – but defenders should consider it.
Indicator Removal (T1070): The Fortinet story in the threat intel update showed attackers wiping logs; similarly, ransomware attackers often delete system logs or disable security tools to hide their tracks while they work.
Understanding these techniques helps defenders anticipate attacker moves. For example, if you detect phishing (T1566) in progress, be on high alert for attempts at using stolen creds (T1078) and watch critical systems for unusual admin logins (could indicate lateral movement or credential dumping in action).
Prevention Strategies and Takeaways
Looking across M&S/Harrods, Cartier, and Coinbase, a few common themes emerge in prevention:
Holistic Security Awareness: Technical defenses alone aren’t enough. Regular, robust security training for all employees and contractors can create a human firewall. Teach staff about phishing red flags, MFA fatigue attacks, and the seriousness of social engineering. In M&S’s case, an aware helpdesk staffer could have double-checked the impostor’s identity and halted the attack at step 1.
Zero Trust Architecture: As seen with Coinbase, even insiders and contractors need to be treated with least privilege. Implement Zero Trust principles – verify all users continuously, segment network access, and require re-authentication for sensitive actions. For example, if a support agent suddenly tries to export an entire user list, require a higher level of approval or additional auth.
Robust Identity and Access Management: Ensure multi-factor authentication is everywhere it can be (and consider phishing-resistant methods). Monitor for unusual login patterns (impossible travel, new devices, etc.). Also, promptly revoke access when people leave or contracts end – stale accounts are easy backdoors.
Patch and Protect Systems: Cartier’s breach via a known web flaw underscores the need for application security (code reviews, pentests, prompt patching of web frameworks). Similarly, keeping systems updated can prevent many initial exploits. Virtual patching via WAFs/IPS can help in the interim, but code fixes are the real solution.
Network Segmentation and Egress Filtering: Ransomware spread and data exfiltration can be curbed if your network isn’t flat. Segment critical servers (e.g., separate retail POS networks from corporate LAN). Implement egress filtering – most of M&S’s data was names/emails, which left the network; if large outbound transfers had been blocked or flagged, you might catch attackers before they complete exfiltration.
Insider Threat Programs: Deploy strategies to handle malicious insiders. This could include behavioral analytics that detect when an employee is accessing way more data than usual, or trying to use admin credentials they never do. Also foster an environment where employees can report coercion or strange requests without fear – perhaps Coinbase’s contractors might have blown the whistle if they felt safe doing so.
Incident Response and Business Continuity: All the companies had to respond under pressure. Those with faster, more transparent responses fared better. Have an IR plan specifically for ransomware/extortion (including law enforcement contacts, ransom decision framework, and communications). Also, ensure you have reliable backups and test them. The quicker you can recover critical operations (like M&S’s online store), the less leverage attackers have and the less damage to your bottom line.
Threat Intelligence Sharing: Stay plugged into threat intel feeds and industry sharing groups (like retail ISACs or CERT alerts). Google’s Mandiant warning retailers of Scattered Spider’s campaign is an example – if you’re in that sector and got the early warning, you could heighten monitoring on your systems. For example, after learning of those tactics, a retailer might run a simulated phishing campaign to see if their staff would resist or report it.
Conclusion
The cyberattacks on M&S, Co-Op, Harrods, Cartier, and Coinbase highlight that no industry is immune – whether you sell luxury jewelry, groceries, or digital currency, you’re a target. Attackers will exploit any weakness, human or technical, to achieve their goal. By analysing these incidents, we learned about the importance of a multi-layered defense: people, process, and technology all play a role. Implementing the lessons – from tightening identity security and third-party oversight to improving technical controls and response plans – will strengthen organizations against similar threats. In cybersecurity, experience is a hard teacher – but it doesn’t have to be your breach that provides the lesson. Wise organizations will internalize these takeaways and remain one step ahead of the bad guys, turning the hard-won lessons of others into proactive strategies for themselves.
