To be concerned at our absolute sheer vulnerability to cyberattacks

[Nutmuncher]

The M&S and Co-op attacks need to be a wake up call to every business, service provider, leader, policy maker and contingency planner in this country. All it would take to bring complete chaos to every town and city in the country would be a simultaneous attack on our supermarkets and their supply chains.

The M&S attack is now weeks on and it’s plain to see that whatever systems they used prior to this were finely tuned to ensure stores were well stocked all of the time and that without these systems it is virtually impossible to have any semblance of operational continuity. Until I walked in and saw my local M&S almost fully depleted of fresh fruit, salad, vegetables, ready meals, sandwiches, cereals, tinned goods, bakery I was blissfully unaware of how much of an impact these attacks could have.

Now imagine if these attackers did the same to Tesco, Sainsbury’s, Asda, Morrisons, Lidl, Aldi, Waitrose, Ocado, Booths, Spar, Cost Cutters, Home Bargains. It could cripple the whole Nation and bring about a risk of social unrest on a scale never seen before. What plans are in place should such an unthinkable yet entirely possible scenario arise? Where exactly would we get food from if we couldn’t pay for it or it simply wasn’t arriving into stores?

There doesn’t seem to be a week that goes by without hearing of payments problems, connectivity issues, network failures. Yes a lot will be purely benign technical issues but hackers will be testing the perimeters searching for any vulnerabilities to exploit.

Businesses with all their operational eggs in one basket need to urgently put in place multilayered plans to avoid becoming the next M&S and risking weeks long chaos should such an attack happen to them.

This is why the idea of all humans being replaced by robots is ridiculous. Technology will always be open to this threat.

Will I be getting in a self driven vehicle knowing this, absolutely not.

That's why jobs in cyber security are huge.

You just see one (spectacularly) successful attack, for whatever reason. You don't see all the failed attacks happening every day, several times a day, and all the contingency plans already in place.

Simple road blocks were and are enough to disrupt the food supplies, but somehow we forget about these.

These types of attacks have ramped up exponentially. Surprise surprise, humans invent a powerful tool - AI - and put them to nefarious use.

Pretty much all systems get constantly pummelled by ai bots now. Lots are fairly unsophisticated Denial of Service attacks, ie websites being hit with so much bot traffic that they keel over. That alone can cause chaos and lots of work for internal teams to fight off.

M&S style hacks are far more concerning still.

For every one successful attack there are millions of unsuccessful ones warded off by automated systems. I work in the sector and unfortunately there are a lot of organisations that have been either naive or greedy. Greedy by the fact they don't want to spend money on cyber security because ultimately it's just an outgoing, there's no return other than NOT losing money. It's not very sexy or appealing to stakeholders. Hopefully this will give organisations a kick up the arse, as the technology, knowledge, information and support are all there for companies to access if they wish to do so! It's an endless, always evolving world to defend against attacks and sometimes you can do everything right and still get attacked, but quite often companies aren't doing the basics - when you think about the parts of a business, cyber security often isn't one that comes to mind, but its as important as your finance/payroll.

This situation is happening now. The co-op attack has caused chaos which seems to barely have been reported in favour of the m and s one. In many rural areas (eg the Scottish islands) they only have a co-op. The only shop on the island - nearest non co-op is a ferry ride then hours of driving (driving past many co-ops on the way). And most of the coop shelves are empty (particularly fresh - you can still get a tin of beans or some frozen bits). Staff have no idea when any produce will be delivered. No online food delivery available.

@CheeryHelper I agree on the Co-op being barely reported on, even the M&S news tended to be more focused around online orders being paused rather than the fact there’s been huge disruption to the food side of the business.

My family live in a small highland town and the co-op has not had fresh food for about a week. Called in at our tiny co-op this morning (southern Scotland) to find the same, fridges of fresh food almost bare. Milk was in good supply but yoghurts, pizzas, houmus type things very bare.

I work in Cybersecurity.

I have access to up to date threat intelligence. If you're this worried about three attacks on retail, then you're in for a really rough ride if you start opening this can of worms.

I currently have 152,000 cyber attacks live in my threat intel platform, globally, since the 29th April.

The big thing to worry about isn't a shop, it's the critical national infrastructure. Thankfully, they are generally very robust in terms of their cyber defences.

As previous posters have said, there's surprisingly very few attacks that are actually successful.

What about the police going after the criminals behind these attacks? We seem woefully unprepared on this front in my opinion.
Also the government itself invests fuck all in cyber security itself. Look at how much they pay for info sec and security roles in the public sector.
I think it’s easy to scapegoat firms for not investing enough, but the reality is there are always ways in and firms are just trying to keep pace with the vulnerabilities and fix them. If there’s no deterrent for committing these crimes, then you just get more and more people having a go because there’s way to make money out of hacking firms.

I can only imagine it’s a can of worms. Surely though, teenagers disabling the systems of national supermarket chains to the extent where they have empty shelves should be deemed a worry? To me it’s the perfect opportunity to bring about anarchy. Retail seems to be a target for cyber attacks recently if the news is anything to go by.

What is classed as critical national infrastructure?

And this is why we shouldn't sleepwalk into becoming a cashless, app-centric society.

Critical National Infrastructure:

Trains, planes, water, electricity etc.

Don't be fooled into thinking it's just script kiddies, there's state-sponsored threat actors, hackers for hire, ransomware as a service etc.

The good thing is that basic Cyber Hygiene will prevent most attacks.

The M&S attack was a social engineering attack to begin with. The malicious actors called up their IT helpdesk to get some login credentials reset and they did it. This was their way in. From there, it was get remote access, install malware and let it spread whilst simultaneously exfiltrating data for ransom (no doubt)

Agree Op.

I really think we need a rethink about our levels of reliance on IT given its vulnerability. It’s costing us a fortune and I’m not convinced it’s worth the cost. Millions out of work, constant updates and security needed, huge amounts of power requiring environmental damage and impacts when it goes wrong. It’s not free and it’s not working class people gaining.

I suspect that Tesco takes its cybersecurity seriously.

Yep our coop (north Scotland) also just about wiped out of anything fresh/fridge/freezer. They still have some stock of dry and tinned goods and household things like toilet rolls and cat food but it’s going down quite quickly. The shop staff know nothing and are obviously sick of getting questions about it.

We are only going to become even more reliant on IT systems. There’s no going back now, we just need to make sure that we can actually survive without it when it’s suddenly not there.

Yesterday I was in the office (central London) and all our Microsoft programs seemed to be up the spout all day, when I went to Tesco for my lunchtime meal deal the tills weren’t accepting contactless, and then on the way home most of the tube lines were down due to a power failure. I did wonder if it was a cyber attack but maybe all coincidence. It does seem to be happening more frequently though

Our little suburban coop had a delivery, yesterday, which included 5 big cartons of sausage and mash ready meals. They've marked them all down to a quid in the hope of shifting them.

I'm more bothered about an attack on the electrical grid. Now that will stop the country.

But there's no telling people.

I'm 20 years on from this, but thank you. It is a thankless job, like so many. It only takes one out of 100s of thousands to be a major issue and then the blame game starts. Pleased I no longer have this as my headache.

Then you’re accepting an increasingly divided society with a few rich elite ever more closely wired into the Borg and some families struggling to get homework completed with one mobile phone to the family.

We can’t afford this level of IT on any level.

Clearly we’re in a revolution and the climate issues may well push that into a collapse. God knows what the survivors will think when sense returns. They’re as likely to be a religious society that rejects machines, or at least thinking machines, entirely.

The NHS board I work for had a massive cyber attack a year ago, lots of patient information was gained, the system we use in the community for our iPads was hacked etc and we haven’t been given it back yet and we need it really to enable us to complete notes out and about, my thought was if we were still using paper and pen notes it would never have happened on the scale it did

i work in cybersecurity and the biggest problem is that we are seen as a cost to the business. Everything we are doing is to prevent a risk from happening so our success is shown by us not being hacked, not having data stolen. Unfortunately that can look to budget holders like they are paying a lot of money to protect against something that isn’t happening, so we are always on the hit list for budget freezes and cuts.

Oh and for anyone interested, around 90% of cyber incidents are caused by human error. So that really basic and annoying annual training you do at work is actually really important because honestly if the company is going to be hacked it’s highly likely that it will be because:

a) someone clicked on a link and entered their login details
b) someone let the person behind tailgate into the building
c) someone didn’t do all the checks when resetting a password over the IT phoneline
d) someone picked Password123 as their password then wrote it down and stuck it under their keyboard.