[HN Gopher] Retail cyber attacks: NCA arrest four for attacks on...
___________________________________________________________________
Retail cyber attacks: NCA arrest four for attacks on M&S, Co-op and
Harrods
Author : sandwichsphinx
Score : 61 points
Date : 2025-07-10 17:44 UTC (5 hours ago)
(HTM) web link (www.nationalcrimeagency.gov.uk)
(TXT) w3m dump (www.nationalcrimeagency.gov.uk)
| clort wrote:
| Little information there about them, but I find it kind of
| surprising that the suspects are even UK based..
| beepboopboop wrote:
| Why is that surprising?
| golan wrote:
| I guess I'd expect them to be in a country where it'd be
| difficult to be apprehended and extradited. Being in the UK
| seems like a stupid move to me, but what do I know!
| immibis wrote:
| Was it a professional operation? Says they were 17. Some
| people playing around with their Commodore 64 except it's
| connected to the internet and a pretty big company.
| dylan604 wrote:
| Let's not pretend these kids were trying to hack the
| Gibson just for the lulz. Calling into help desk,
| requesting password resets with social engineering,
| getting into network, installing ransomware is all well
| beyond playing around. I know there are smart teens, but
| I would not be surprised to find out there is someone
| more experienced in the background that got the kids
| going if not even on behalf of.
|
| There are plenty of teens selling dope, stealing cars,
| breaking into homes, yet nobody thinks they're just
| knuckleheads playing around. Why do we think because "but
| on a computer" makes it different?
| dboreham wrote:
| You have to buy underwear or prawn sandwiches in the UK to know
| M&S exists?
| gluten_guardian wrote:
| Crazy how young all these cyber criminals are. When I was their
| age, the peak of my criminal career was scoring booze by lying
| about my age. I wish they shared a little bit on what
| cyberattacks they were conducting.
| pekim wrote:
| I suspect that it is related to the M&S and Co-op attacks.
| https://www.bbc.co.uk/news/articles/cwykgrv374eo
| MisterTea wrote:
| Young people have little fear of repercussion as they cant
| really fathom the consequences. Either they learn from this
| misadventure or go on being a career criminal. All of this
| depends on their home lives.
| scott_w wrote:
| This simply isn't true. Yes, teenagers are morons by the
| standard of a well adjusted 30 year old, but they're more
| than capable of understanding consequences for their actions.
|
| I hate to sound like my parents/grandparents but I absolutely
| knew that causing millions of pounds of damage and attempting
| to blackmail a major corporation could have huge negative
| consequences for people and myself at 17.
| immibis wrote:
| The probability they'll try to teach you to obey the law
| instead of locking you in a cell for life is significantly
| higher when you're 17 than when you're 35. Even better if
| you're 13, though.
| scott_w wrote:
| I'm a bit torn on that, honestly. Were this an
| embarrassing hack like the ones I read about as a
| teenager, I'd agree. However, they caused millions of
| pounds of damage to multiple companies (and their
| customers) and attempted to blackmail the CEO for profit.
|
| I'd be amazed, and I think the public would be outraged,
| if they got a slap on the wrist for this.
| stackskipton wrote:
| >I hate to sound like my parents/grandparents but I
| absolutely knew that causing millions of pounds of damage
| and attempting to blackmail a major corporation could have
| huge negative consequences for people and myself at 17.
|
| Sure but not all do. If you look at murders, most of them
| are in 15-24 range in United States so them being 17, 19
| and 20 tracks with what you expect.
| scott_w wrote:
| And yet most 15-24 year olds are not committing murder,
| this sentence:
|
| > Young people have little fear of repercussion as they
| cant really fathom the consequences.
|
| is not true.
| martinald wrote:
| But it is very well understood and accepted that teenage -
| especially male prefrontal cortexes don't fully develop
| until mid 20s.
|
| I'm sure they knew it could have major consequences, but
| when your risk taking pedal (limbic system) pedal is pushed
| to the floor all the time and your risk avoidance brakes
| (prefrontal cortex) is not fully developed that all goes
| out of the window, not unlike being intoxicated.
|
| For example, I shudder to think how aggressively I drove
| when I first got a car - and I was very sensible compared
| to many people I knew! I hadn't actually drove for a couple
| of decades since I was an adolescent until very recently
| and I had to rent a car for something, but it was
| absolutely startling to me my frame of mind vs the last
| time I drove. All I can remember back then that driving was
| extremely fun and the more windy the road the better, this
| time all I could see was loads of giant risks.
|
| Now if you compare this to the whole population, if you
| have a segment of it that are much more risk seeking either
| through genetics or environmental reasons, you can see the
| problem.
|
| You can see this in all kinds of statistics at a societal
| level - crime, accidents, addiction risk. It is all much
| higher in these age ranges (and especially skewed towards
| males).
|
| I don't think we should just dismiss good science like this
| "because I knew better". It has always been a very grave
| societal issue that has tended to be ignored or downplayed.
|
| Obviously this doesn't give people carte blanche to do what
| they want - I'm not saying that. But hopefully societal
| views will catch up a bit with society and we can actually
| do something about it.
| scott_w wrote:
| > Young people have little fear of repercussion as they
| cant really fathom the consequences.
|
| > But it is very well understood and accepted that
| teenage - especially male prefrontal cortexes don't fully
| develop until mid 20s.
|
| Your statement here does not mean that the statement I
| quoted above is true. Just because biology predisposes
| one to doing stupid shit does not mean young people are
| incapable of understanding consequences and
| repercussions. The fact that most of us here never went
| out to cause millions of pounds of damage is testament to
| that.
| BoorishBears wrote:
| I don't understand why clarifying young folks are capable
| of understanding consequences and repercussions, but
| _will_ underperform at doing so for a myriad of reasons,
| including real physical differences in brain structure,
| should be this contentious.
| scott_w wrote:
| Because we're talking in the context of young people who
| executed a multi-stage criminal enterprise causing
| millions of pounds of damage, harming multiple companies
| and their customers, AND TRIED TO EXTORT THE CEO FOR
| PROFIT.
|
| This is not "behavioural immaturity" associated with an
| underdeveloped prefrontal cortex!
| michaelt wrote:
| There are some statements that, though reasonable in
| isolation, are almost always heard from people teeing up
| a really bad opinion.
|
| For example, if someone says "I'm not racist, but" I'm
| already rolling my eyes before they've even said what
| they're about to say.
|
| Similarly, when some people hear "prefrontal cortexes
| don't fully develop until" they start rolling their eyes
| pre-emptively at the infantilising, anti-personal-
| responsibility take that _usually_ follows. Even if it
| didn 't, in your case.
| MisterTea wrote:
| Maybe I didn't phrase that quite right. I knew a kid who
| was caught by the FBI carding at just 14. He was totally
| aware of what he was doing but did not comprehend the
| severity of his crimes. Like I remember him just casually
| dismissing it as some cute prank. Apparently he was
| arrested, had his computer confiscated, then banned from
| using the Internet or a computer. I only heard that through
| others who knew him personally so who knows but I never saw
| him online after that incident (irc/icq/aim days.)
|
| So with that story, some teenagers don't or can't
| comprehend the severity of their crimes or the trial and
| punishment that ensues. To them it's just a dumb credit
| card company write off and a free laptop or whatever.
|
| I'll admit, I used to push limits. Used to do silly things
| with misfit friends. Got into a little incident where we
| pissed off some dudes, one who had a gun (no one shot but
| man having one pointed at you is scary AF.) Learned real
| fast not to do stupid "funny shit" that was really just
| jerk behavior. We never expected to have a gun pointed at
| us.
|
| That's what teenagers do, they push limits without thinking
| because they're rebellious. Looking to carve out their
| independence. Sometimes, they learn the hard way. That's
| just life.
| nkrisc wrote:
| Not sure I'd agree. I'm sure most people reading here at HN
| had some computer-related incident as a teenager that made
| them realize there could be real consequences goofing around
| with a computer. And I would guess of those that did, most
| heeded that warning.
| scott_w wrote:
| Yes, maybe these kids never learnt that lesson, for
| whatever reason. My point is that you can't make this
| general claim:
|
| > Young people have little fear of repercussion as they
| cant really fathom the consequences.
|
| Clearly, young people can. Maybe these young people
| couldn't, but that's a different claim.
| miohtama wrote:
| How bad your system be if it can be hacked by a kid?
| socalgal2 wrote:
| A kid can break all the windows in your house, smash in your
| door, set your house, car, bike, clothing on fire. I guess
| all those things are bad
|
| I'm not saying the system wasn't poorly implemented but,
| society doesn't work when people abuse everything either.
| Maybe that just means we're doomed but most of society works
| because people don't go around smashing and/or taking
| everything they possibly can.
| Aurornis wrote:
| 3/4 of them were over 18. The other was 17.
|
| It's also unclear if this was everyone, or just who they
| caught. It's not unknown for hacking groups to position the
| youngest (least experienced, most desperate for recognition)
| people in the most vulnerable positions.
| lyu07282 wrote:
| Apparently they pretended to be an employee and the help desk
| reset the password for them. Once in the door, active directory
| imploded as usual, with full access they encrypted everything and
| demanded ransome.
|
| Source: https://specopssoft.com/blog/marks-spencer-ransomware-
| active...
| Hilift wrote:
| Reminds me of Maersk. They had poor endpoint hygiene and no
| EDR. In 2017 about 90% of their infrastructure was wiped in
| less than one minute. They had to reinstall a lot of things due
| to backups weren't up to par. Usually level 1 merchants (> 6
| million transactions per year) are put on an audit and
| improvement plan if this occurs. In the UK, there could be an
| investigation and penalty from the ICO for the data breach.
| roywiggins wrote:
| > They had to reinstall a lot of things due to backups
| weren't up to par.
|
| "After a frantic search that entailed calling hundreds of IT
| admins in data centers around the world, Maersk's desperate
| administrators finally found one lone surviving domain
| controller in a remote office--in Ghana. At some point before
| NotPetya struck, a blackout had knocked the Ghanaian machine
| offline, and the computer remained disconnected from the
| network. It thus contained the singular known copy of the
| company's domain controller data left untouched by the
| malware--all thanks to a power outage... So the Maidenhead
| operation arranged for a kind of relay race: One staffer from
| the Ghana office flew to Nigeria to meet another Maersk
| employee in the airport to hand off the very precious hard
| drive. That staffer then boarded the six-and-a-half-hour
| flight to Heathrow, carrying the keystone of Maersk's entire
| recovery process."
|
| https://www.wired.com/story/notpetya-cyberattack-ukraine-
| rus...
| aaronrobinson wrote:
| This stinks of foreign sponsorship. I can see how they could pull
| off the social engineering but being able to work their way
| around a foreign system like they did - no way.
| lyu07282 wrote:
| Active directory has become an invaluable tool for ransome
| gangs, it not only gives them effortless root access on every
| system, but also documents the company structure so you can
| focus your resources. This isn't sophisticated at all.
| casenmgreen wrote:
| Evil Tor used are blocked. Can't read site.
| jancsika wrote:
| I only read sites that are written in Rust, and I can't load
| this one either.
|
| Can someone post a String Literal for us, please?
| testfrequency wrote:
| Omg rust is so fast. Did you know that?
|
| edit: wow, fun is cancelled for today it seems
| golan wrote:
| Related Reddit thread :
| https://www.reddit.com/r/cybersecurity/s/LXb88TKC4M
| bargainbin wrote:
| This doesn't surprise me. I work for a company that hires a
| substantial headcount from TCS, probably one of their biggest
| clients, and the quality of the work is astonishingly bad.
|
| I'd recommend avoiding at all costs but we all know these
| companies are brought in by non-technical people.
| toomuchtodo wrote:
| +1 from first hand experience with TCS
| miohtama wrote:
| In a proper capitalistic system, those who build low quality
| e-commerce services, including hackable ones, should go out of
| business and replace more competent companies. This includes
| buying services from bad suppliers.
|
| This Reddit post hints that many shortcuts were taken, security
| not taken seriously when they should have, and now they reap
| what they sow.
| skippyboxedhero wrote:
| There has been no reaping. MKS shares were largely unimpacted
| (despite this costing at least PS300m). Management have tried
| to deflect, said this was a highly sophisticated attack, said
| that other firms had been hacked but just didn't report it,
| endless amounts of lying.
|
| The reality is that decreasing costs is a far easier lever to
| pull than increasing revenue so managers will be heavily
| incentivised to do this if you give them profit-based
| incentives. This happens every few years with listed
| companies in the UK now, no-one ever changes their behaviour
| (retail, in particular, is ground zero for bluffers in the
| UK, managers are exceptionally bad, and even worse are comp
| committees that set targets that cannot be achieved without
| damaging long-term value).
|
| There is no efficient market here. It is as simple as
| managers understanding the world we now live in, and that is
| unlikely because all these companies view IT as a cost and
| their managers are people who rotate through executive roles
| and politics despite leaving a flaming wreck in their wake.
| Things will stay the same.
| immibis wrote:
| In capitalism-as-explained-by-capitalists, that would happen.
| In actual capitalism, it would not.
| lyu07282 wrote:
| That's a very naive view of capitalism, there is nothing
| inherently preventing companies from being negligent in
| infosec no matter how "proper" that system is. Also wouldn't
| defunding the ICO make it more proper?
| chrisweekly wrote:
| "go out of business and replace more competent companies"
|
| ... be replaced by more competent companies
| helloooooooo wrote:
| They do. Security is about risk management. It's all very
| actuarial. If the damages from an attack are severe enough
| (ie. a company makes it go bankrupt), that's capitalism
| working.
| Aurornis wrote:
| > In a proper capitalistic system, those who build low
| quality e-commerce services, including hackable ones, should
| go out of business
|
| If the impact is large enough, they do.
|
| This not a case where binary thinking works for most
| situations, though. The costs associated with the attack will
| hurt them by damaging their balance sheets a little bit,
| taking capital away from more productive opportunities, and
| distracting their employees from more fruitful tasks.
|
| There's always a public thirst for immediate blood in these
| situations, but the damage is more subtle and manifests more
| as opportunity cost than a sudden collapse of the company.
| The demand for sudden stock market collapse of companies is
| ironic, given all of the criticisms thrown at companies for
| putting too much emphasis on short term stock results.
| mattigames wrote:
| "proper capitalist system" aka fantasy capitalism, an utopic
| capitalism that lacks operations/tasks where deceiving is
| cheaper than doing things correctly, yes I am one of those
| that don't believe that such thing is compatible with human
| nature.
| SheinhardtWigCo wrote:
| > In 3 of 4 calls, the service desk reset passwords and re-
| enrolled MFA with zero resistance. The caller simply gave a
| name - no validation, no callback, no check. On the 4th call,
| the attacker requested access to a privileged group. The TCS
| agent asked for an employee ID. The ID given didn't even match
| our company's format; and yet, the access was granted anyway.
|
| Yikes
| djaychela wrote:
| A friend of mine is senior management at one of these companies.
| His life has been a real nightmare trying to get things back on
| track - there are so many interconnected systems that they needed
| to get back up 'clean' and running just to get their normal
| business running, let alone the online side. And he's not even
| directly responsible for any of this, but it's all so embedded in
| a modern retail business that if something like this happens it's
| _your_ problem to deal with to a degree. The stress caused by
| this sort of thing is immense.
| mtkd wrote:
| >it's your problem to deal with to a degree
|
| How is it not the responsibility of senior management at a
| major retailer to ensure an exploit at a vendor can't take the
| whole house of cards down?
|
| Many other major enterprise clients out there are all over
| vendor security/compliance ... auditing and reauditing vendors
| to minimise chance of this happening or worst-case, if does
| happen, containing it and recoverying quickly
| devwastaken wrote:
| Cyber crime does not exist. Only deficient systems intentionally
| designed to be exploited exist. if you want your "cyber
| infrastructure" to not be attacked, dont make it vulnerable. All
| tech is artificial, not of nature.
|
| Require software to be developed by licensed engineers. no more
| offshoring. no more importing of cheap labor. make tech corps pay
| instead of acruing mass wealth. Make the corps pay when the
| vulnerabilities they put in it are exploited.
| tsm wrote:
| Theft does not exist. Only deficient windows intentionally
| designed to be breakable exist. if you want your "personal
| possessions" to not be taken, dont make them vulnerable. <etc>
|
| Yes, the companies involved should take some responsibility for
| terrible security practice (though I'm sure they wish this had
| never happened!) but victim-blaming doesn't justify crime.
___________________________________________________________________
(page generated 2025-07-10 23:00 UTC)