When A Phone Call Bypassed Every Control

What Failed

M&S is a fortress of technical controls: firewalls, intrusion detection, endpoint protection, network segmentation, multi-factor authentication. All of it proved irrelevant.

The failure was not technical; it was organizational. M&S outsourced its IT help desk to TCS, a global contractor. When Scattered Spider called that help desk claiming to be an M&S employee, they triggered a process: verify identity, reset password, restore access. The help desk did its job. They had no visibility into whether the person on the line was actually an M&S employee. They had no way to detect that the request was malicious. They simply followed procedure.

With legitimate credentials in hand, the attackers moved into Active Directory and extracted the NTDS.dit file—a Windows system file containing hashes for every user password in the domain. They did not crack these passwords. They did not need to. With NTDS.dit, they had access equivalent to every door key in the building.

By late April, when ransomware activated across M&S systems, the breach was already weeks old. Technical teams detected encryption and began response. But by then, attackers had already exfiltrated data and established multiple persistence mechanisms. The damage was done.

Multi-factor authentication did not stop this attack. The attackers did not need to crack MFA. They obtained the initial credential through social engineering—a help desk reset—and MFA can only protect what you authenticate properly in the first place. M&S's fundamental assumption—that the help desk would only respond to legitimate requests—broke under the simplest social engineering pressure.

The Decision Timeline: From Breach to Disclosure

What the Financial Impact Really Means

Numbers can abstract disaster. Let's be concrete:

• £3.8M Lost per day in online revenue during the 46-day shutdown
• 46 days Total duration of online sales disruption (clothing, home, beauty)
• £300M Total profit impact in FY25/26 (insurance will recover ~£100M; net cost approximately £200M)
• £500M+ Market capitalization loss in the weeks following disclosure
• 65,000 staff Required to revert to manual, pen-and-paper inventory processes

For M&S, this was not a data breach. It was an operational catastrophe. When your online platform goes dark for 46 days during peak trading season, you don't just lose sales—you lose customer trust, market share, and shareholder confidence. You cannot recover that in a quarter.

The broader impact: a £500 million market cap destruction and the revelation that every major UK retailer's third-party help desk is now visible to sophisticated attackers as a single point of failure.

What the Incident Exposed

The Resilience Lens: What This Attack Reveals About Unpreparedness

Cyber resilience is not the absence of breaches. It is the ability to absorb a breach and continue operating. M&S failed that test.

The company had clearly invested in technical security: firewalls, endpoint protection, network monitoring, MFA. These are table stakes. But it had not invested in the scenarios that actually cost money: operational alternatives when systems fail, third-party identity risk management, crisis communication protocols, and the ability to run a 1,000+ store retail operation without real-time IT.

Resilience also requires honesty. M&S outsourced help desk support to TCS without formally establishing what "identity verification" actually means in a help desk context. It assumed that procedures would be followed. It did not assume—or plan for—the possibility that an attacker would call that desk and exploit the very procedures designed to help legitimate employees.

A resilient organization would have:

• • Documented, tested procedures for running critical operations without automated systems
• • Conducted tabletop exercises simulating both a help desk compromise and consequent operational chaos
• • Established formal security requirements with all third-party service providers, including social engineering resilience training
• • Monitored help desk activity through a third party or through periodic audits for suspicious patterns
• • Practiced incident response scenarios involving simultaneous operational and security disruption

M&S appears to have done none of these things. The result was a 46-day shutdown and a £300 million loss.

What Boards Should Be Asking Now

If you are a board member at a major organization, the M&S incident is not a warning sign of what *could* happen. It is evidence of what *is* happening across the sector. Your duty is to ask these questions of your executive team:

• 1

  Who handles identity verification and password resets for your organization, and how do they verify identity? If the answer is "an outsourced help desk" or "a managed service provider," then you need to know—in detail—what verification steps they follow, and whether they've been trained to resist social engineering. Ask for documentation. Ask for evidence of training. Ask what happens if that help desk is compromised.

• 2

  Can your organization operate for 46 days without your core IT systems? If the answer is "we don't know" or "probably not," then you have a critical vulnerability. Operational resilience is not optional for large organizations. It must be explicitly documented and periodically tested.

• 3

  Have you tested your incident response plan? Not a review, not a walkthrough, but an actual simulation involving operational chaos, communications breakdown, and partial system failure. M&S's response (reverting to pen and paper) suggests they had not thought through this scenario in advance.

• 4

  What is your organization's single point of failure from a help desk perspective, and how is it monitored? If a single phone call to an outsourced help desk can compromise your domain, you need additional controls: call verification protocols, periodic audits, anomaly detection, and explicit authorization requirements for credential resets.

• 5

  How much of our digital infrastructure is fully dependent on third parties, and what are our explicit contractual requirements for their security posture? Outsourcing is efficient, but it is not risk-free. Your contracts should specify security training, incident response obligations, and audit rights.

Conclusion: A Phone Call Is Enough

Marks & Spencer invested heavily in technical security controls. None of it mattered because a person answered the phone.

Scattered Spider proved that you do not need zero-days, nation-state funding, or undetectable malware. You need social engineering skill and the knowledge that somewhere in your organization, a third party is answering the phone and will help employees regain access. They are doing their job correctly. The attacker is simply impersonating an employee better than you've prepared for.

The £300 million cost of the M&S incident is not a technical problem with a technical solution. It is an organizational and operational resilience problem. It is the cost of assuming that your third parties are not part of your security perimeter. It is the cost of not documenting and testing what happens when your core systems go dark. It is the cost of not understanding that a CEO can understand social engineering risk, but only if someone explains it clearly.

Harrods and Co-op learned this the hard way. Scattered Spider moved to them next, using the same playbook. How many other organizations—financial services firms, healthcare providers, government agencies, utilities—are currently vulnerable to this exact attack and don't yet know it?

The only defense is preparation. Organizations that have rehearsed this scenario, that have documented operational alternatives, that have explicitly hardened their third-party identity perimeter, and that have trained their help desks on social engineering resistance will survive the next Scattered Spider phone call. Everyone else will get a call they're not ready for.