Hackers Strike Harrods in Latest UK Cyberattack

> In July, four people including a 17-year-old boy were arrested on suspicion of being involved in cyberattacks on Harrods, the Co-op, and Marks and Spencer, and were bailed pending further inquiries.

Your proposal is we have a foreign army come over and start executing children? What is this Bush era nonsense.

Funny you say this because Scattered Spider is largely made up of Western teenagers, not Russians.

For some reason the "no apostrophe" thing is common in UK company names.

Does the UK actually have a mandated deadline for any kind of infosec disclosure?

Terrible tech reporting, as is the norm.

https://www.bbc.com/news/articles/c8d70d912e6o indicates that the recently announced breach was separate from the one in May (for which the attackers were arrested in July?). I think the one in May leveraged CVE-2025–31324.

It's likely already happened, but we will never hear about it. Their attack surfaces will be clustered and broken up, through an inhomogenous distribution of various systems and layers and networks, and the entirety of the system will be protected through disjoint connections, both the intentional and the bureaucratic and structural that follow from the mere fact of being really big organizations. Any particular unit within the whole that gets pwned will have recovery tactics available, but reporting will probably be kept as private as humanly possible, even to the extent of avoiding reporting to government, so as to avoid "damage" to markets, loss of reputation, runs on the bank, and so forth. If they don't have a near instant recovery and mitigation of the attack, they'll be much more likely to pay and recover, quietly, than most other organizations. There are laws and regulations and boxes that get checked to ostensibly hold them to a high cybersecurity standard, but that's a lot of theater and pomp for public confidence over anything practical. Where they benefit is from being able to pay for teams and high quality security personnel and being incentivized to avoid getting hacked.

It's not in anyone's interest to make a lot of fuss or noise in the public eye, so us chickens out here won't ever hear about anything that happens.

That comes with the caveat that the big banks can afford to pay really nasty people to go find hackers and turn them over to authorities, or worse options in more lawless parts of the world, and the public will never hear about those actions either, which disincentivizes the hackers. There are easier ways of getting more money with less risk of catastrophic personal outcomes, with the technical difficulty of even attempting anything serious filtering out the impulsive and stupid.

Luckily, the Venn diagram overlap of black hat hackers and greying IBM mainframe programmers who understand things like JCL, RPG, COBOL and VSAM is a very small one indeed.

Like ICBC? Already happened

There is no system in use by a commercial entity in the world that can stop criminals with ~10 M$ from completely bypassing all of their security and doing arbitrary amounts of damage. If the attackers can on average derive more than 10 M$ of return, then you are guaranteed profitable to hit.

For instance, in the 2023 casino hacks of MGM and Caesars, Caesar paid a random of ~15 M$, making them profitable. In the JLR hack, JLR has incurred ~500 M$ of damage to date. These attacks cost less than 10 M$ to create and deploy guaranteed.

However, most commercial systems are vastly easier to hit than even 10 M$. I would venture that most of these high profile attacks are on the order of merely ~10-100 K$ to actually create and deploy making them wildly profitable with a ROI in the 10-1000(!) range. And, if you have the choice of spending 100K to get 15 M$ or 10 M$ to get 15 M$, it is pretty obvious who you would prioritize.

It is like the story of two people and the hungry bear. Even if you can not outrun the bear, if you can outrun the other person then the bear will tear you apart second.

So it is both. Everything is shoddy. Some are dramatically more shoddy than others. And the hungry bears are breeding so they can eat all the dodos.

IMO it's shoddy. Anybody can get hacked, that's true. But a modern corp that has tried to defend itself should have multiple layers of defenses against complete pwnage.

If you've paid attention in the last 10 (or even 5) years as a company, and did some pentests and redteams, you've seen how you could be breached, and you took appropriate steps years ago.

A non-shoddy company will have:

- hardened their user endpoints with some sort of modern EDR/detection suite.

- Removed credentials from the network shares (really).

- Made sure random employees are not highly privileged.

- Made sure admin privileges are scoped to admin business roles (DBA admin is not admin on webservers, and vice-versa).

- Made sure everyone is using MFA for truly critical actions and resource access.

- Patched their servers.

- Done some pentests.

This won't stop the random tier 2 breach on some workstation or forgotten server still hooked up on prod/testing, but it will stop the compromise _after_ that first step. So sure, hackers will still shitpost some slack channel dumps, but they won't ransomware your whole workstation fleet...

> Are these hacks unavoidable, or are they indicative of shoddy IT on the victim's side?

That's a really good question and one that I've asked (myself) many times. What I can't understand is that on one side you have an IT division that (probably) has a substantial budget, security hardware and software layers, security strategies and probably hundreds of personnel. On the other side you have a group of hackers/crackers who have none of the above, but often succeed. How does that work? Srsly!