The recent wave of cyber attacks targeting UK retailers has been a moment of reckoning for the entire retail industry. As someone who went through supporting one of the largest retail breaches in history, this news hits close to home. The National Cyber Security Centre’s (NCSC) call to strengthen IT support protocols reinforces a hard truth: cybersecurity is no longer just a technical/operational issue. It’s a business issue that directly affects revenue, customer trust, and brand reputation. Retailers today are navigating an increasingly complex threat landscape, while also managing a vast user base that needs to stay informed and secure. The recent attacks don’t represent a failure, but an opportunity - an inflection point to invest in stronger visibility, continuous monitoring and a culture of shared responsibility that meets the realities of modern retail. We know that the cyber groups responsible for the recent retail hacks used sophisticated social engineering techniques, such as impersonating employees to deceive IT help desks into resetting passwords and providing information, thereby gaining unauthorised access to internal systems. Employees are increasingly a target, and retailers employ some of the largest, most diverse workforces, making them an even bigger risk with countless touchpoints for breaches. In these organisations, a cybersecurity-first culture is vital to combatting threats. Cybersecurity-first culture includes employees that are aware of these types of attacks and understand how to report them if they are contacted. In order to establish a cybersecurity-first culture, employees must be empowered to recognise and respond to threats, not just avoid them. This can be done through simulation training and threat assessments - showcasing real life examples of threats and brainstorming possible solutions to control and prevent further and future damage. This allows security teams to focus on strategy instead of constant firefighting, while leadership support - through budget, tools, and tone - reinforces its importance at every level. In addition to support workers, vendors also pose a significant attack path for bad actors. According to data from Elastic Path, 42% of retailers admit that legacy technology could be leaving them exposed to cyber risks. And with the accelerating pace of innovation, modern cyber threats are not only more complex, but often enter through unexpected avenues, like third-party vendors. Research from Vanta shows 46% of organisations say that a vendor of theirs has experienced a data breach since they started working together. The M&S breach is a case in point, with it being reported that attackers exploited a vulnerability in a contractor’s systems, not the retailer’s own. This underscores that visibility must extend beyond your perimeter to encompass the entire digital supply chain, in real time. Threats don’t wait for your quarterly review or annual audit. If you're only checking your controls or vendor status once a year, you're already behind. This means real-time visibility is now foundational to cyber defence. We need to know when something changes the moment it happens. This can be done through continuous monitoring, both for the technical controls and the relationships that introduce risk into your environment. We also need to rethink the way we resource and prioritise that visibility. Manual processes don’t scale with the complexity of modern infrastructure. Automation and tooling can help surface the right signals from the noise - whether it’s misconfigurations, access drift, or suspicious vendor behavior. The best case scenario is that security measures are embedded into all digital architecture, utilising a few security ‘must haves’ such as secure coding, continuous monitoring, and regular testing and improvement. Retailers who want to get proactive and about breaches following the events of the last few weeks can follow this action plan to get started: First, awareness - have your security leadership send a message out to managers of help desks and support teams to make sure they are aware of the recent attacks on retailers, and are in a position to inform teams of what to look out for. Then, investigate - pinpoint the attack path used on other retailers to make sure you have a full understanding of the risk to your organisation. After that, assess - conduct a threat assessment to identify what could go wrong, or how this attack path could be used in your organisation. The final step is to identify - figure out the highest risk gaps in your organisation, and the remediation steps to address each one. Strong cybersecurity doesn’t come from quick fixes - it takes time, leadership buy-in, and a shift in mindset across the organisation. My advice to security teams is simple: speak in outcomes. Frame cyber risk as business risk, because that’s what it is. The retailers that have fallen victim to recent attacks are facing huge financial losses, which makes this not just an IT issue - it’s a boardroom issue. Customers are paying attention. They want to trust the brands they buy from, and that trust is built on transparency and preparation. The recent retail attacks aren’t a reason to panic - they’re a reason to reset, evaluate current state risks, and fully understand the potential impacts of what is happening elsewhere. This is the moment to invest in your infrastructure, empower your teams, and embed security into your operations. The organisations that do this now won’t just be safer - they’ll be more competitive, more resilient, and better positioned for whatever comes next. Jadee Hanson is the Chief Information Security Officer at Vanta Read more about cyber security in retail Content Goes Here Harrods becomes latest UK retailer to fall victim to cyber attack Retail cyber crime spree a ‘wake-up call’, says NCSC CEO Retail cyber attacks hit food distributor Peter Green Chilled

A significant cyber breach at His Majesty’s Revenue and Customs (HMRC) that saw scammers cheat the public purse out of approximately £47m has been met with dismay from security experts thanks to the sheer simplicity of the attack, which originated via account takeover attempts on legitimate taxpayers. HMRC disclosed the breach to a Treasury Select Committee this week, revealing that hackers accessed the online accounts of about 100,000 people via phishing attacks and managed to claim a significant amount of money in tax rebates before being stopped. It is understood that those individuals affected have been contacted by HMRC – they have not personally lost any money and are not themselves in any trouble. Arrests in the case have already been made. During proceedings, HMRC also came in for criticism by the committee’s chair Meg Hillier, who had learned about the via an earlier news report on the matter, over the length of time taken to come clean over the incident. With phishing emails sent to unwitting taxpayers identified as the initial attack vector for the scammers, HMRC might feel relieved that it has dodged full blame for the incident. But according to Will Richmond-Coggan, a partner specialising in data and cyber disputes at law firm Freeths, even though the tax office had gone to pains to stress its own systems were never actually compromised, the incident underscored just how widespread the consequences of cyber attacks can be – snowballing from simple origins into a multimillion pound loss. “It is clear from HMRC's explanation that the crime against HMRC was only possible because of earlier data breaches and cyber attacks,” said Richmond-Coggan. “Those earlier attacks put personal data in the hands of the criminals which enabled them to impersonate tax payers and apply successfully to claim back tax.” Meanwhile, Gerasim Hovhannisyan, CEO of EasyDMARC, an email security provider, pointed out that phishing against both private individuals and businesses and other organisations had long ago moved beyond the domain of scammers chancing their luck. While this type of scattergun fraud remains a potent threat, particularly to consumers who may not be informed about cyber security matters – the scale of the HMRC phish surely suggests a targeted operation, likely using carefully crafted email purporting to represent HMRC itself, designed to lure self-assessment taxpayers into handing over their accounts. Not only that, but generative artificial intelligence (GenAI) means targeted phishing operations have become exponentially more dangerous in a very short space of time, added Hovhannisyan. “[It] has made [phishing] scalable, polished, and dangerously convincing, often indistinguishable from legitimate communication. And while many organisations have strengthened their security perimeters, email remains the most consistently exploited and underestimated attack vector,” he said. “These scams exploit human trust, using urgency, authority, and increasingly realistic impersonation tactics. If HMRC can be phished, anyone can.” Added Hovhannisyan: “What’s more alarming is that the Treasury Select Committee only learned of the breach through the news. When £47m is stolen through impersonation, institutions can’t afford to stay quiet. Delayed disclosure erodes trust, stalls response, and gives attackers room to manoeuvre.” Once again a service’s end-users have turned out to be the source of a cyber attack and as such, whether they are internal or – as in this case – external, are often considered an organisation’s first line of defence. However, it is not always wise to take this approach, and for an organisation like HMRC daily engaging with members of the public, it is also not really possible. Security education is a difficult proposition at the best of times and although the UK’s National Cyber Security Centre (NCSC) provides extensive advice and guidance on spotting and dealing with phishing emails for consumers – it also operates a phishing reporting service that as of April 2025 has received over 41 million scam reports – bodies like HMRC cannot rely on everybody having visited the NCSC’s website. As such, Mike Britton, chief information officer (CIO) at Abnormal AI, a specialist in phishing, social engineering and account takeover prevention, argued that HMRC could and should have done more from a technical perspective. “Governments will always be a high tier target for cyber criminals due to the valuable information they hold. In fact, attacks against this sector are rising,” he said. “In this case, it looks like criminals utilised account take over to conduct fraud. To combat this, multifactor authentication (MFA) is key, but as attacks grow more sophisticated, further steps must be taken.” Britton said organisations like HMRC really needed to consider adopting more layered security strategies, not only including MFA but also incorporating wider visibility and unified controls across its IT systems. Account takeover attacks such as the ones seen in this incident can unfold quickly, he added, so its cyber function should also be equipped with the tools to identify and remediate compromised accounts on the fly. Read more about trends in phishing Quishing, meaning QR code phishing, is an offputting term for an on-the-rise attack method. Learn how to defend against it. A healthy dose of judicious skepticism is crucial to preventing phishing attacks, said David Fine, supervisory special agent at the FBI, during a presentation at a HIMSS event. Exchange admins got a boost from Microsoft when it improved how it handles DMARC authentication failures to help organisations fight back from email-based attacks on their users.

As Russia continues its relentless assaults on Ukraine despite in defiance of continuing efforts to work towards a peace deal, multiple western security agencies have issued a new advisory warning of a Moscow-backed  campaign of cyber intrusions targeting logistics and technology organisations in the west. The campaign, run through Unit 26165 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), better known as Fancy Bear, includes credential guessing, spear-phishing attacks, exploitation Microsoft Exchange and Roundcube vulnerabilities, and flaws in public-facing infrastructure including VPNs. This pattern of activity likely dates back to the early days of the war in February 2022 – at which point Fancy Bear was more heavily involved in cyber operations for purposes of espionage. However, as Russia failed to achieve its military objectives as quickly as it had wanted, the group expanded its targeting to include entities involved in the delivery of support and aid to Ukraine’s defence. Over the past three years its victims have included organisations involved in air traffic control, airports, defence, IT services, maritime and port systems sectors across various Nato countries. The advanced persistent threat (APT) actor is also understood to be targeting internet-connected cameras at Ukraine’s border crossings and around its military bases. These intrusions mostly took place in Ukraine but have also been observed in neighbouring states including Hungary, Poland, Romania and Slovakia. The GCHQ-run National Cyber Security Centre (NCSC) urged UK organisations to familiarise themselves with Unit 26165’s tactics and take action to safeguard themselves. “This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine,” said Paul Chichester, NCSC Director of Operations. “The UK and partners are committed to raising awareness of the tactics being deployed. We strongly encourage organisations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks.” The NCSC’s latest warning comes a couple of weeks after the cyber body’s CEO, Richard Horne, talked of a “direct connection” between Russian cyber attacks and physical threats to the UK at its annual conference. Horne told an audience at the CyberUK event that Russia was focusing on acts of sabotage, often involving criminal proxies. He said these threats, which are thought to have included arson attacks, are now manifesting on the streets of the UK, “putting lives, critical services and national security” at risk. Rafe Pilling, director of threat intelligence at the Sophos (formerly Secureworks) Counter Threat Unit (CTU) – which tracks Fancy Bear as Iron Twilight – said that the group's targeting of spear-phishing and vulnerability exploitation to gain access to target mailboxes had been a staple tactic for some time. “The focus of their operations pivots as the intelligence collection of the Russian military change and since 2022 Ukraine has been a significant focus of their attention. The targeting of Nato  and Ukranian defense and logistics companies involved in the support of the Ukrainian war effort makes a lot of sense in that context,” Pilling told Computer Weekly.   “The targeting of IP cameras for intelligence collection purposes is interesting and is a tactic generally associated with state-sponsored adversaries like Iron Twilight where they anticipate a physical effects aspect to their operations. As an intelligence provider to the Russian military this access would assist in the understanding of what goods were being transported, when, in what volumes and support kinetic targeting.   “We've seen other APT actors make use of compromised CCTV feeds to monitor the effects of cyber-physical attacks, for example the 2022 attacks against steel mills in Iran where video from the CCTV feed was used to time the execution of the attack in an attempt to avoid harm to people at the site and confirm the damage being caused,” he added. The NCSC said Britain’s support for Ukraine remained “steadfast”. Having already committed £13bn in military aid, the UK this week announced 100 new sanctions on Russia targeting entities and organisations involved in its energy, financial and military systems. This comes in the wake of the largest drone attack on Ukraine staged so far during the three-year war, which Russian dictator Vladimir Putin launched mere hours before a scheduled call with US president Donald Trump. The full advisory – which can be read here – sets out Fancy Bear’s tactics, techniques and procedures (TTPs) in its latest campaign in accordance with the Mitre ATT&CK framework, and also details a number of the common vulnerabilities and exposures (CVEs) being used to attain initial access. Besides the UK and US, the advisory is cosigned by cyber and national security agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands and Poland. Read more about Russian state cyber campaigns Russia is using phishing attacks to compromise encrypted Signal Messenger services used by targets in the Ukraine. Experts warn that other encrypted app users are at risk. The Russian cyber spy operation known as Star Blizzard changed tactics after a takedown operation by Microsoft and the US authorities, turning to widely used messaging platform WhatsApp to try to ensnare its targets. Computer Weekly talks to GCHQ’s National Cyber Security Centre operations director Paul Chichester and former NCSC chief executive Ciaran Martin on Russia, China and Salt Typhoon.

The Legal Aid Agency (LAA), a Ministry of Justice-backed civil and criminal legal aid and advice service covering England and Wales, has fallen victim to a cyber attack that appears to have led to the compromise of personal data on anybody who applied for legal aid through its digital service in the past 15 years. The body said it first became aware of a cyber attack on its online digital services – used by legal aid providers to log their work and receive payment from the government – on 23 April 2025. These services were quickly taken offline. Following this, working alongside the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC), the agency’s IT team took action to reinforce security while the wider LAA reached out to the providers affected. The LAA’s investigation initially appears to have shown that only legal aid providers were affected. However, on 16 May, it became apparent that the attackers had dug themselves far deeper into its systems than was first thought and accessed data on legal aid applicants dating back to 2010. This includes not just those facing criminal prosecution, but individuals involved in family law cases, victims of domestic violence, and more. It said the data includes contact details and addresses, birthdates, national ID numbers, criminal history, employment status and financial data. According to the Guardian, the intruders have stated they have accessed 2.1 million data points, although this is not verified. “I understand this news will be shocking and upsetting for people, and I am extremely sorry this has happened,” said LAA CEO Jane Harbottle. Since the discovery of the attack, my team has been working around the clock with the NCSC to bolster the security of our systems so we can safely continue the vital work of the agency Jane Harbottle, Legal Aid Agency “Since the discovery of the attack, my team has been working around the clock with the NCSC to bolster the security of our systems so we can safely continue the vital work of the agency.” She continued: “However, it has become clear that to safeguard the service and its users, we needed to take radical action. That is why we’ve taken the decision to take the online service down. “We have put in place the necessary contingency plans to ensure those most in need of legal support and advice can continue to access the help they need during this time,” said Harbottle. “I am incredibly grateful to legal aid providers for their patience and cooperation at a deeply challenging time.” The agency urged anyone who has applied for legal aid since 2010 to take immediate steps to safeguard themselves. As is frequently the case, the breadth of the data breached makes it useful to fraudsters and scammers involved in downstream cyber crime activity. Should the data be leaked, those affected may see an uptick in suspicious activity such as unsolicited text messages or phone calls. The agency gave no indication as to whether or not it is dealing with a ransomware incident. Toby Lewis, head of threat analysis at Darktrace, said establishing the full facts of what has gone wrong would be the number one priority for the investigators. “The Legal Aid Agency breach represents a significant but not unusual cyber incident facing public services today. Without confirmation of ransomware or system outages, we’re likely looking at either pre-ransomware exfiltration caught early or straightforward data theft. If it’s the latter, this could be as simple as misconfigured cloud storage or as complex as a nation-state operation targeting bulk personal data, similar to previous international government breaches,” he said. “What’s crucial now is determining which scenario we’re dealing with to properly assess the broader implications for government digital security.” Recent UK cyber attacks A cyber attack at Marks & Spencer has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services. A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack. Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.

pixel_dreams - Fotolia News Security tests reveal serious vulnerability in government’s One Login digital ID system A ‘red teaming’ exercise to simulate cyber attacks on the government’s flagship digital identity system has found that One Login can be compromised without detection By Bryan Glick, Editor in chief Published: 16 May 2025 12:37 External security tests on the government’s flagship digital identity system, Gov.uk One Login, have found serious vulnerabilities in the live service, Computer Weekly has learned. A “red teaming” exercise conducted in March by IT security consultancy Cyberis discovered that privileged access to One Login can be compromised without detection by security monitoring tools. According to Cyberis, red teaming tests the resilience of systems by simulating the tactics, techniques and procedures of cyber attackers to show how well an organisation can detect and respond to an incident. Computer Weekly has been asked by the Department for Science, Innovation and Technology (DSIT) not to reveal further details of the vulnerability while the Government Digital Service (GDS) seeks to fix the problem. Compromising the highest levels of access to a system risks exposing personal data and software code to any cyber attackers able to exploit the vulnerability. A government spokesperson said: “Delivering best practice, we routinely conduct red teaming exercises to test security infrastructure. Where issues are found, we work urgently to resolve them.” The existence of a serious current vulnerability will raise further concerns over the security of One Login, which is intended to be the way that citizens prove their identity and log in to most online government services. There are already six million users of the system, and it is used to access more than 50 online services. Last month, Computer Weekly revealed that GDS was warned by the Cabinet Office in November 2022 and the National Cyber Security Centre (NCSC) in September 2023, that One Login had “serious data protection failings” and “significant shortcomings” in information security that could increase the risk of data breaches and identity theft. GDS said the concerns were “outdated” and arose “when the technology was in its infancy in 2023”, despite One Login being used at that time to support live services. “We have worked to address all these concerns as evidenced by multiple external independent assessments. Any suggestion otherwise is unfounded,” said a spokesperson, at the time. A whistleblower first raised security concerns about One Login within GDS as long ago as July 2022. The issues identified included system administration being performed through non-compliant devices with a risk of transmitting security vulnerabilities, such as malware or phishing attacks, that could compromise the live system. The NCSC recommends that system administration for key government services should be conducted from a dedicated device used only for that purpose, known as a privileged access workstation (PAW), or alternatively to use only “browse down” devices, where the security level of the device is always the same or greater than the system being managed. The whistleblower warned that a lack of PAWs and use of browse-up administration were significant risks. Computer Weekly subsequently revealed that the One Login team has yet to fully meet NCSC guidelines – the system only complies with 21 of the 39 outcomes detailed in the NCSC Cyber Assessment Framework (CAF) – an improvement on the five outcomes it successfully followed a year ago. The One Login development team is also yet to fully implement the government’s Secure by Design practices, although GDS said the system “meets these principles”. Earlier this week, we further revealed that One Login had lost its certification against the government’s own trust framework for digital identity systems, after a key technology supplier allowed its certification to lapse and, as a result, One Login was removed from the official accreditation scheme. In a meeting with private sector digital identity providers this week (Wednesday 14 May), DSIT secretary of state Peter Kyle explained how One Login will underpin the forthcoming Gov.uk Wallet, which will be used to deliver digital versions of key government documents, such as driving licences. Kyle talked about the “rapid journey” he hopes the government will take in delivering digital identity services for citizens and stressed the importance that such systems are “delivered safely [and] securely”. The government spokesperson added: “Gov.uk One Login follows the highest security standards for government and private sector services – including dedicated 24/7 eyes-on monitoring and incident response. As the public rightly expects, protecting the security of government services and the data and privacy of users to keep pace with the changing cyber threat landscape is paramount.” Questions are also being asked in Parliament about the security of One Login. In recent weeks, Liberal Democrat peer and digital spokesman Tim Clement-Jones and Conservative peer Simone Finn have separately submitted Parliamentary questions to DSIT asking for reassurances about the system. Finn asked whether the government has “quantified the likelihood and potential impact of insider threats, unauthorised privileged access, and production environment compromise within One Login”. In response, DSIT minister for the future digital economy and online safety, peer Maggie Jones, said: “The Gov.uk One Login team collaborates closely with the NCSC to assess and mitigate risks associated with insider threats, unauthorised privileged access, and production environment compromise, aligning with the Cyber Assessment Framework outlined in the Government Cyber Security Strategy 2022-2030. “While assessments of insider threats have been made, copies of these assessments will not be placed in the Library of the House, as they are part of ongoing security measures and internal governance processes.” Clement-Jones asked: “What steps [the government is] taking to address security issues in the One Login digital identification system?” Jones replied: “One Login follows the highest security standards for government and private sector services. As the public rightly expects, protecting the security of government services and the data and privacy of users to keep pace with the changing cyber threat landscape is paramount. “Security best practice is followed with a number of layered security controls which include: Security clearances for staff with ‘Security Check’ clearance required for all developers with production access; identity and access management controls that block staff from viewing or altering personal information; a secure by design and compartmentalised system architecture; technical controls around building and deployments; logging and monitoring to alert on access to environments that contain personally identifiable information; and robust procedures for addressing any unauthorised or unaccounted for access.” Speaking to Computer Weekly about the security concerns, Clement-Jones said: “How is the government’s flagship digital identity system failing to meet standards so badly, given that it is expected to shortly form an essential part of our immigration controls? We need answers and quickly.”  Read more about One Login Companies House goes live with One Login ID verification – People can verify their identity with Companies House using Gov.uk One Login as the central government body becomes the 36th service to start using the digital identity system. GDS goes serverless to bring personalisation to online government services with One Login – GDS has opened up about the reasons why it’s opted for a serverless infrastructure to underpin One Login, and how it hopes the system will provide UK citizens with a more personalised experience. One Login digital identity project makes headway – Government services are lining up to work with the GDS on its One Login digital identity system, according to its director of digital identity, Natalie Jones. In The Current Issue: UK MoJ crime prediction algorithms raise serious concerns Interview: Markus Schümmelfeder, CIO, Boehringer Ingelheim Download Current Issue GraphQL as an ‘essential protocol’ for AI-API orchestration – CW Developer Network Mind the insight-to-impact gap, Qlik captures analytics ‘in the moment’ – CW Developer Network View All Blogs