Marks & Spencer Hack Highlights Why Detection Isn't Enough Anymore
Another household name has fallen victim to cybercrime—this time, the target was Marks & Spencer (M&S). According to CyberNews, the breach was linked to compromised employee credentials from Tata Consultancy Services (TCS), a third-party IT provider used by the British retailer.
The attackers are believed to be part of the infamous “Scattered Spider” hacking group, known for targeting large enterprises through social engineering and credential theft.
The implications of this attack are broad, especially for any business that relies on external vendors or partners for IT services—a category that includes nearly every company today.
How It Happened: The Vendor Blind Spot
Initial reports suggest that the attackers used valid employee login credentials from TCS to infiltrate M&S systems. That’s the key point—the credentials were valid. No malware needed. No brute-force attack. Just a legitimate login into a trusted third-party service provider. This is the new norm for threat actors: using real access in real time to quietly bypass defenses.
The Scattered Spider group, which has previously been linked to attacks on MGM Resorts and Caesars Entertainment, doesn’t waste time trying to “break in.” They prefer to walk through the front door using stolen credentials and trusted third-party channels. And unless organizations have strict containment controls in place, this tactic works nearly every time.
Why Traditional Detection Falls Short
Most endpoint protection strategies still rely heavily on detecting malicious behavior—through alerts, antivirus signatures, or behavior monitoring tools. But what happens when there’s no clear signal to detect?
In the M&S case, everything likely looked normal to security systems. The attackers didn’t exploit a software vulnerability or drop known malware. Instead, they simply used a third-party employee’s login to gain access and then moved laterally, potentially without raising any red flags until it was too late.
This incident underscores a truth that businesses can no longer afford to ignore: detection is too late.
The Case for Isolation and Containment
AppGuard takes a fundamentally different approach to endpoint protection. Instead of trying to detect and respond to threats after they’ve penetrated the system, AppGuard prevents execution of unauthorized or suspicious actions at the kernel level—even from legitimate user sessions. This includes blocking lateral movement, unauthorized scripts, and privilege escalation—core techniques used by groups like Scattered Spider.
In this model of “Isolation and Containment,” applications are allowed to operate normally but are restricted from performing unexpected behaviors that could lead to compromise—even if initiated by a valid user account.
This approach is especially effective against modern tactics like:
-
Credential-based infiltration
-
Supply chain compromise
-
Fileless malware and living-off-the-land techniques
-
Zero-day attacks that traditional tools can’t yet detect
AppGuard doesn’t rely on signatures or detection rules. It doesn’t care whether the action is being taken by a hacker or a legitimate user who’s been compromised. If it’s not a permitted behavior, it’s blocked. Period.
A Decade of Proven Success—Now Commercially Available
AppGuard has protected government and critical infrastructure systems for over ten years without a single breach. Now, this same technology is available for commercial use—giving small and midsize businesses the same elite-level protection once reserved for national security applications.
At CHIPS, we’re helping organizations adopt AppGuard and shift their security posture from passive reaction to proactive prevention. We believe the Marks & Spencer breach is just one more example of how today’s threat environment demands a new approach—one that doesn't wait for alerts to act.
The Bottom Line
If your business relies on third-party IT providers—or if you use software and services that connect externally—then you’re exposed to the same risks that M&S faced. And if you’re still relying on detection and response tools alone, you’re playing a game you can’t win.
It’s time to move beyond Detect and Respond and adopt a strategy centered on Isolation and Containment.
Talk to us at CHIPS today about how AppGuard can protect your business from incidents like this—before they happen. Don't wait until you're the next headline.
Like this article? Please share it with others!
Comments