Stay one step ahead of cyber criminals with our regular news and tips
Was April 2025 the month from hell for UK cyber security? Discuss.
Certainly, retailers (M&S, Co-op, Harrods) and government agencies (Legal Aid) in the UK experienced more high-profile and damaging cyber attacks than in any other single month we can remember.
It’s only natural that a sense of nervousness currently permeates UK organisations. But, once the initial shock is over, we must get down to the business of shoring up our defences.
We start with some analysis of the M&S breach.
M&S cyber saga: important lessons for all organisations
M&S boss Stuart Machin has said that the hack wasn’t a failure of the retail giant’s own IT systems, but a third-party contractor’s who he has not yet named. The weak link is now believed to be Tata Consultancy Services (TCS), who manage the M&S helpdesk and have access to their systems. Machin also said a social engineering attack was used to gain access.
But blaming the contractor in your supply chain is unlikely to calm spooked investors and irate customers. Also, it’s not likely to impress the Information Commissioner’s Office – the ICO is expected to land M&S with a multi-million pound fine if its investigations find evidence of inadequate security measures that resulted in the attack.
As a result of the hack, which exposed staff and customer data, M&S is understood to have lost £1 billion of value on the stock market and £300 million in profits. The disruption is expected to last into July.
The National Crime Agency has named the cyber crime group Scattered Spider as a focus of their investigation. The attack was carried out using a paid ransomware service called DragonForce.
Says Jake Ives, our Head of Security:
“Organisations in the UK need to ramp up their adoption of a zero-trust security posture and review their incident response plans as a matter of urgency. Below are some actions to take right now:
- Audit all parties in the supply chain and revisit their status frequently.
- Make MFA (multi-factor authentication) non-negotiable across all systems and servers, and implement phish-resistant MFA methods.
- Introduce application allowlisting and ringfencing as standard.
- Train employees on emerging risks such as AI / deepfakes and modern attack strategies.
- Separate standard and admin accounts, and ensure that the principle of least privilege is followed.
- Ensure all security patches are applied within 14 days (per Cyber Essentials Guidance).
- Ensure all activity across all systems is audited and anomalies reported on (i.e. via SIEM – Security Information and Event Management).
- Conduct simulations such as disaster recovery scenarios to test the effectiveness of Security Standard Operating Procedures.
- Be sure to properly delegate least privilege controls in Active Directory (I.e., not give everyone Domain Admin).
New government guidance on helpdesk cyber hygiene
The National Cyber Security Centre has issued guidance for organisations’ helpdesks to ensure they stay protected from hackers. Social engineering has been revealed to be the initial attack strategy for the M&S hack.
And there is speculation that this was used to target helpdesk staff at a third party contractor. Another recent high-profile instance of helpdesk compromise was the hacking of MGM Resorts in the US, where a simple vishing call (phishing over the phone) to the IT helpdesk resulted in what was undeniably an IT disaster.
Experts are calling for closer scrutiny of any requests to the helpdesk to reset passwords. Recommended measures include a strict ban on revealing information about privileged accounts over the phone or email, and ensuring that such requests are escalated for further investigation.
Deepfake detection: how to break the fake
You can’t trust anything you see online and that includes videos of friends or colleagues. This is the clear message in 2025, a year when according to the UK government, the number of online deepfake videos is projected to cross the 8 million mark.
News headlines abound of unwitting victims falling for money transfer scams fronted by deepfakes of Elon Musk and Martin Lewis. Last year, a Hong Kong employee mistakenly transferred £25m to scammers by joining a video call full of deepfakes of his colleagues.
The cyber security industry and government are calling for a culture that encourages scepticism, demands verification from even the most trusted sources and puts the onus on developers of AI technology to ensure that security is baked into the entire lifecycle of the product.
For a deep dive into deepfake detection, don’t miss MD Matthew Geyman’s advice here: https://intersys.co.uk/2025/05/19/deepfake-detection-and-protection-a-guide-for-organisations/
Legal Aid hack exposes personal data of society’s most vulnerable
Some of the UK’s most vulnerable citizens have had their personal data stolen by hackers. The Legal Aid Agency has revealed that a hack in April exposed vast amounts of legal aid supplier and applicant data. Some of the stolen information belongs to victims of domestic abuse and those at risk of serious harm.
The Legal Aid Agency is overseen by the Department of Justice and provides means-tested legal aid and advice to the general public. The breach has led to a complete shutdown of the Legal Aid online portal.
The stolen data includes names, dates of birth, National Insurance numbers, financial records and criminal histories.
There has long been concern over the ageing infrastructure and outdated systems of the UK’s public sector. The National Audit Office in a recent report highlighted the cyber security vulnerabilities of the government’s ‘legacy’ IT systems. These public sector systems have also become prime targets for adversarial nations such as China and Russia.
Other vulnerabilities and updates
Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability
Google Chromium Loader Insufficient Policy Enforcement Vulnerability
SAP NetWeaver Deserialisation Vulnerability
Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability