Landmark London department store Harrods has become the latest UK retailer to fall victim to a cyber attack in the past 10 days, joining a list that already includes Marks and Spencer and Co-op.
The still in-progress incident was initially reported by Sky News and has supposedly left customers unable to pay for their purchases.
A Harrods spokesperson confirmed the accuracy of this report to Computer Weekly.
“We recently experienced attempts to gain unauthorised access to some of our systems,” they said.
“Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.”
The spokesperson added: “Currently all sites including our Knightsbridge store, H beauty stores and airport stores remain open to welcome customers. Customers can also continue to shop via harrods.com.
“We are not asking our customers to do anything differently at this point and we will continue to provide updates as necessary.”
Three major attacks
Further details on the incident affecting Harrods are yet to be made public.
However, the incident comes barely 48 hours after Co-op first disclosed it was experiencing a similar cyber attack that it also took proactive steps to mitigate, and less than a fortnight after M&S was forced to suspend multiple online services following an incident.
This has lent weight to growing speculation that all three attacks may share a common link. The most plausible scenario would suggest that the three attacks originated through an unidentified third-party retail services partner in a supply chain attack.
Earlier this week, it emerged that the M&S attack may have been the work of the cyber criminal collective Scattered Spider, which allegedly deployed a white-label ransomware called DragonForce on its VMware servers.
A compromise orchestrated through a third-party supplier would align with Scattered Spider’s modus operandi – the gang famously extorted multiple victims, including two high-profile Las Vegas casino operators, having exploited Okta identity services.
Tim Grieveson, CSO at ThingsRecon, an attack surface discovery specialist, said: “There must be a common thread across these retailers that has put them firmly in the crosshairs of cyber criminals. These aren’t isolated events, they are a wake-up call. The action and initiative we have seen from the Co-Op and Harrods should be a blueprint for others, not just in retail, but across all sectors.”
Toby Lewis, head of threat analysis at Darktrace, said: “With the information publicly available we can see two other likely scenarios: either a common supplier or technology used by all three retailers has been breached and used as an entry point to big name retailers; or the scale of the M&S incident has prompted security teams to relook at their logs and act on activity they wouldn’t have previously judged a risk. It’s a lesson again in the growing difficulty large organisations have in securing against threats in their supply chain, particularly as those threats grow in volume and sophistication.”
Copycat hackers
Jake Moore, global cyber security advisor at ESET, highlighted a third possibility, saying that even if the same threat actor was not responsible for all three incidents, it was not uncommon for related targets in similar sectors to fall victim to attacks in quick succession.
Moore said that in the case of ransomwares like DragonForce, which is openly sold on the cyber criminal underground via a ransomware-as-a-service (RaaS) model, can be easily deployed by other threat actors motivated by the first attack to seek out similar vulnerabilities.
“Other hacking groups are also able to attempt their luck on similar businesses and start demanding ransoms where possible,” said Moore.
“Attacks involving the DragonForce ransomware most commonly start by targeting known vulnerabilities such as attacking systems that have not been kept up to date with the latest security patches so businesses need to be extra vigilant and improve how quickly they update their networks,” he said.