The fastest way to get CISSP Certified. Join our bootcamp
Dear Marks & Spencer Security Team,
We need to talk about Easter weekend.
£300 million. Six weeks offline. Your busiest retail period of the year, and customers couldn't buy anything online. All because Scattered Spider social engineered their way past your contractor defenses.
We know you're dealing with the aftermath—the investigations, the board meetings, the endless questions about "how did this happen?" So we wanted to reach out with what we're seeing from the outside, because there are lessons here that go beyond M&S.
Scattered Spider didn't use a sophisticated zero-day exploit. They didn't bypass your firewalls or crack your encryption. They made a phone call. They targeted your contractors—third parties with legitimate system access but probably not the same security oversight as internal employees.
Someone answered the phone. Someone believed what they heard. Someone granted access. And your entire online shopping infrastructure went dark.
You're probably asking: "How did our security awareness training fail?" It probably didn't. Your contractors likely knew about social engineering in theory. They just didn't recognize it when they were the target.
"Why didn't our access controls stop this?" Because if a phone call can override your authentication, you don't have access controls—you have access suggestions.
Here's what went wrong at the fundamental level: Your contractors had broad system access without controls that could resist social engineering. Multi-Factor Authentication (MFA) wasn't enforced or wasn't resistant to bypass—phone-based authentication can be socially engineered, Short Message Service (SMS) codes can be intercepted.
Third-party access was treated as lower risk than internal access. Scattered Spider knew this. They targeted contractors because external access points typically have weaker controls.
These are foundational security concepts. Access control principles. Authentication mechanisms. Third-party risk management. The kind of topics covered in entry-level security certifications because they're that fundamental to cybersecurity.
Your security team probably knew all the theory. But knowing the fundamentals and implementing controls that actually work when attackers are actively trying to bypass them—that's two different things.
This isn't about blaming your team. Social engineering attacks targeting third parties are incredibly difficult to defend against. But it does highlight the gap between theoretical security knowledge and practical implementation.
You're going to rebuild your contractor access controls now. Enforce MFA everywhere. Implement verification processes that can't be socially engineered. Treat third-party access as the high-risk attack surface it actually is.
And every other organization watching this £300 million lesson should be doing the same thing. Because if it happened to M&S—a major retailer with resources and security teams—it can happen to anyone.
Wait.
You're not the M&S security team, are you?
But if any of that letter felt uncomfortably familiar—if you're reading this and thinking about your own contractor access controls, your own third-party authentication, your own security fundamentals that might not hold up against a convincing phone call—then maybe that letter was for you after all.
The Scattered Spider gang isn't just targeting M&S. They're targeting organizations everywhere that have the same gap between theoretical security knowledge and practical implementation.
Understanding security fundamentals is the foundation of defending against these attacks. Not just knowing what social engineering is, but understanding access control architecture deeply enough to build controls that actually work when someone's actively trying to bypass them.
If you have team members who need to strengthen their security fundamentals—especially those handling contractor access, third-party authentication, or access control implementation—our Security+ bootcamp and Security+ masterclass focus on practical understanding, not just exam prep. We teach people how to implement controls that can't be defeated with a phone call.
Know someone who needs to hear this? Forward them this email. Better yet, make sure your team has the foundational knowledge to spot the next Scattered Spider before they cost you £300 million.
Stay secure,
The DestCert Team
The easiest and fastest way to pass the CISM exam
Master Information Security Management. Our team has helped thousands of professionals succeed with advanced certifications like CISSP and CCSP. Now we've taken that same proven and tailored it specifically for CISM!
Master CCSP as easily and quickly as possible
Designed for First-Time Success. Our bootcamp is built on a simple principle: prepare thoroughly for first-time success, but provide unwavering support if you need another attempt. Most certification programs focus on getting you there eventually. We focus on getting you there the first time.
Prepare to Pass CCSP: Get the Right CCSP
APP
Studying for the CCSP? Big news! We’ve just added 1,000 brand-new questions to our CCSP Exam Prep App—giving you even more ways to test your knowledge and boost your confidence. Whether you're brushing up on cloud security concepts or getting serious about exam day, the updated app is packed with fresh content that reflects the latest exam trends. Study anytime, anywhere, and get one step closer to becoming CCSP certified.
Free CCSP Data Center Design Mini MasterClass
If you’re interested in cloud security, check out our new FREE Mini MasterClass. It digs into data center design.
It’s based on the CCSP certification requirements, but even if you’re not thinking of getting certified, what you learn is very useful in practice if you ever need to deal with data centers.
