From Runway to Runaway
How Scattered Spider Cost M&S £300 Million in Tea-Break Time
In the time it takes a London kettle to reach boil number three during afternoon tea, Britain's 139-year-old high-street icon lost its entire digital storefront to a social-engineered support rep and a single stolen One-Time Password.
Critical Alert
Scattered Spider operators infiltrated Marks & Spencer through help-desk social engineering, using a 6-digit OTP read aloud by a tricked agent to gain global admin access and cause £300 million in losses over 72 hours.
When "Tea Break" Became "Take-Break"
| Date (April 2025) | Event |
|---|---|
| 08 Apr 14:17 | Scattered Spider operator phones M&S outsourced IT help-desk (TCS); poses as "Alex from Oxford Street" |
| 08 Apr 14:22 | Attacker recites publicly-available staff ID + last-4 of NI (from 2020 breach) – tricks agent into reading 6-digit OTP aloud |
| 08 Apr 14:25 | OTP used to enroll new Duo Security device; O365 session hijacked |
| 08 Apr 14:31 | Azure AD sync exploited – global admin rights granted to fake "Emergency-Admin" account |
| 08 Apr 15:00 | 1,500 POS tills, m&s.com, Click & Collect, Sparks app – all returning 404 |
| 09-10 Apr | Website kept offline; £5M/hour lost sales; social media flooded with #WhereIsMyOrder |
| 11 Apr 03:44 | Full e-commerce stack restored; forensics still counting 300k leaked customer records |
| 20 Apr | Quarterly earnings: £300M impact – 9% drop in Q1 2025 profit guidance |
"The incident was contained within 72 hours; no evidence credit-card data was compromised."
— Marks & Spencer regulatory filing, 12 Apr 2025
Fallout: From High Street to High Anxiety
Lost revenue – £5M/hour while site dark; Click & Collect down 68 hours
Customer records exfiltrated – names, addresses, last-4 card digits, Sparks loyalty points
In-store POS tills showed nginx 404 – cash-only for 36h; average basket down 42%
Share price: MKS falls in five days; £1.8B market-cap erased
Potential GDPR fine up to £30M (4% of £750M UK revenue)
London filing – customers seek £750 each under UK Data Protection Act 2018
Kill-Chain Deconstructed: OTP → Global Admin → Global Blackout
| MITRE Tactic | Technique | M&S Reality |
|---|---|---|
| Initial Access | T1566.002 | Voice phishing (vishing) – help-desk social engineering |
| Persistence | T1098.003 | New "Emergency-Admin" added to Azure AD Global Admin role |
| Privilege Escalation | T1078.002 | Compromised Duo session → Azure AD → role assignment |
| Impact | T1491.001 | Index.html replaced with 404 template – "Site under maintenance" |
| Exfiltration | T1567.002 | 300k rows zipped → rclone to Mega → public link shared on Telegram |
Root Causes: Help-Desk Habits That Helped the Hackers
- 1
No call-back verification – agent failed to dial store manager before reading OTP aloud
- 2
Over-privileged help-desk accounts – TCS agent could create global admins via service-desk portal
- 3
Flat Azure AD roles – Global Admin = 600 people; no PAM elevation required
- 4
Missing voice-analytics – no anomaly flag for unknown caller requesting high-privilege action
- 5
Incident comms lag – website kept offline 68h while PR team drafted holding statements
Expert Insight: "Voice Is the New Phish"
"M&S proves that the weakest link isn't technology—it's the human on headset. If your help-desk can crown a king in five minutes, you need a new crown."
— Javvad Malik, Security Awareness Advocate, KnowBe4
Five NIST Controls That Turn the Tea Break into a Security Break
Out-of-band verification
Call-back to manager's mobile before any privilege escalation
Privileged Access Management (PAM)
Just-in-time elevation – 15-min window, ticket number required
Voice-biometrics + anomaly
AI voice-print – flag unknown caller requesting admin action
Split-privilege help-desk
L1 can reset passwords only; L2 requires manager approval
Crisis comms playbook
Pre-approved "site maintenance" message + Twitter ads in <30 min
Quick-Start Playbook: What to Do Before the Kettle Boils Again
Disable "Global Admin" creation via service-desk portal; force PAM workflow
Enable voice-anomaly in contact-centre; block privilege requests from unknown numbers
Deploy FIDO2 keys for all Tier-2 agents; no OTP over phone allowed
Table-top vishing exercise; measure time from call → privilege grant
Red-team social-engineering test; any successful privilege escalation = fail
The Tea-Break Challenge
Scattered Spider spent 72 hours inside M&S's empire, but the initial crown-stealing call lasted the same 180 seconds your kettle needs for a third afternoon refill.
If a £6 billion British icon can be tea-bagged between boil and biscuit, ask yourself:
"What am I doing during the time it takes to boil a kettle for afternoon tea?"
Verified Sources
- 1. M&S regulatory notice on cyber incident Marks & Spencer, 12 Apr 2025
- 2. M&S shares fall 11% after 72-hour outage London Stock Exchange, 17 Apr 2025
- 3. ICO opens investigation into M&S data breach ICO press release, 19 Apr 2025
- 4. Class-action lawsuit filed over M&S breach Leigh Day solicitors, 25 Apr 2025
- 5. Scattered Spider vishing tactics KnowBe4 blog, 20 Apr 2025
Protect Your Help Desk from Social Engineering
Don't let voice phishing turn your support team into attackers' accomplices. Get a free security assessment to identify help-desk vulnerabilities and implement proper verification procedures.