logo
How working from home made Britain a sitting duck for cyber attackers

How working from home made Britain a sitting duck for cyber attackers

Telegraph01-05-2025

Former M&S boss Lord Stuart Rose has long branded himself an 'unreconstructed get-back-to-work man', claiming the practice of working from home is damaging both the economy and employees' wellbeing.
Now, the 76-year-old businessman may have another reason to oppose remote working – with the arrangement possibly putting one of Britain's best-loved retailers, and his former employer, at the mercy of hackers.
Since Easter weekend, M&S has been reeling from a major cyber attack that has paralysed online orders, disabled contactless payments in-store, and wiped nearly £700 million off its market value.
And M&S is not the only retailer that has been subjected to such an attack. Earlier this week, the Co-op said it was having to fend off hackers and, on Thursday evening, luxury department store Harrods said they had 'recently experienced attempts to gain unauthorised access to some of their systems'. In a statement, the store added: 'Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites.'
Harrods said all its stores remained open and it is unknown if the three attacks are related.
Though M&S bosses have yet to reveal the cause, questions are mounting over whether the hackers were able to penetrate the multibillion-pound firm's cyber defences through one of its remote workers.
It would not be a surprise as for years security experts and intelligence agencies have warned that hackers are targeting remote workers as the weakest link in the chain in a company's digital infrastructure.
Indeed, just last year the retailer – which is understood to allow staff to work two days a week at home – warned in its annual report that WFH was increasing its exposure to cyber attacks.
But why? The answer is simple – computers in most corporate offices have a vast array of tough defences installed to keep bad actors out, from firewalls to secure internet routers, all of which are kept under close watch by the on-site security team.
Yet such protection wanes as soon as staff are out the revolving doors. Suddenly, the onus falls instead on the employee, whether it's keeping their devices updated or being vigilant when using unsecured public WiFi while working in cafes.
A survey by Malwarebytes Lab, carried out around six months after the first Covid lockdown, found one in five businesses had faced a security breach as a result of a remote worker.
Four years later, a poll by Absolute Security in 2024 revealed three out of four bosses still believed staff working from home was their 'biggest weakness' when trying to defend against cyber attacks.
How do the hackers get in?
Experts believe M&S was infected by a ransomware called Dragonforce, a malicious software that locks a user out of their computer or network and scrambles the data – with the criminals demanding a fee to unlock it.
In its rush to contain the attack, M&S bosses quickly moved to lock remote-working staff out of the company's internal IT systems. But could these remote workers have also been the crucial weakness that let the hackers in?
To infect a computer, hackers need to find a chink in digital defences – and staff working from home can often be easy prey. A common target is through a virtual private network (VPN), used by remote employees to securely connect to their office networks.
Such software is only useful if it's kept up-to-date and uses multi-factor authentication, which requires several forms of verification to access. In 2021, investigators traced the huge ransomware attack that took down the Colonial Pipeline – which supplies 45 per cent of United States' fuel on the East Coast – to an old version of a VPN account commonly used by remote employees.
The same year, a hacker gained control of the Oldsmar water treatment plant in Florida, and tried to poison the supply by increasing the chemical content, through a remote access software called TeamViewer. All the plant's computers were using the same password for remote access, and were running on an outdated Windows operating system.
In other words, both were ripe for exploitation. In 2022, an alert by the Five Eyes intelligence alliance warned that the Microsoft software, Remote Desktop Protocol (RDP), that linked 'millions' of Britons to their company networks, was 'one of the top ways' Russian hackers could potentially gain a crucial foothold within critical infrastructure, from the NHS to nuclear power stations.
Yet often, the real weakness is not a system flaw but the people behind the systems – either the security team or the employees themselves. One of the most popular methods of gaining unauthorised access is 'social engineering', which involves tricking humans into compromising their security.
Such tactics were used in the attack on Twitter in July 2020 when a 17-year-old boy was able to gain access to 130 celebrity Twitter accounts – including Barack Obama, Kim Kardashian, and its future owner Elon Musk – to promote a Bitcoin scam.
An investigation by the New York State Department of Financial Services found the teen had 'directly exploited Twitter's shift to remote working' by calling up employees and pretending to be from the IT department to get access to the internal systems.
Who carried out the M&S attack?
Earlier this week it was revealed the Met Police are investigating whether the M&S attack was carried out by a hacking collective called Scattered Spider. The group first appeared in 2022 and have already been linked to more than 100 targeted attacks, including US casino operator Caesars, which paid over £11 million to restore its network.
Unlike the majority of such gangs, who are generally based in places such as Russia, the group are English-speaking and known to include UK and US citizens, some as young as 16. Their motivation is said to be as much about bragging rights as money.
According to the FBI, the group's modus operandi is tricking people into letting them into their systems, from impersonating IT staff to 'sim swapping', a tactic in which a fraudster persuades their victim's mobile provider to transfer the phone number to a sim card under their control.
'Scattered Spider have been linked to dozens of attacks over the last few years and their clever tactics often target the human element,' Jake Moore, global security advisor at cybersecurity software company ESET, tells The Telegraph. Moore points to remote workers in particular as a potential target. 'Working from home adds yet another attack entry point which has limited control.'
'Hybrid work has made enforcing security standards a minefield'
He reveals how, as a test, he once hacked into the work account of a superintendent simply by calling the Police HQ help desk. 'They asked me two security questions, which were easy to find out the answers to online – vehicle registration and shoulder number – and then I was able to convince them I was the superintendent and had forgotten my password after being on holiday for two weeks.
'They reset the password to a new string of text and gave me the password over the phone. I then logged in and had full access to the police networks. At this point I made the chief constable aware of this vulnerability.'
The heightened danger of WFH on M&S's cybersecurity is not a view shared by all however. 'That's total BS as far as I'm concerned,' says Ciaran Martin, ex-chief executive of the UK's National Cyber Security Centre (NCSC). 'I don't have a strong view on either side of the culture war, but it's not a thing, so far as I understand the details in this incident specifically.
'I was head of the NCSC when lockdown one happened, and I was stunned at how little rise there was in cyber harm when we went on an unplanned, short-notice experiment in home working. Turns out the bring your own device security and other remote working things we'd been doing for years before 2020 worked pretty well. We have many systemic problems in cyber security but remote working isn't on my list!'
But the NCSC is clearly aware of the vulnerabilities, saying in an advisory note published in April 2020 that 'the surge in home working has increased the use of potentially vulnerable services… amplifying the threat to individuals and organisations'.
Often, remote workers are the first in line to have their access removed from internal systems when there is an attack – suggesting security teams are wary of the threat. As it battled to contain damage from its cyber attack, on Wednesday, Co-op told staff they could no longer log on to the company's IT system from home, a 'proactive measure' it explained after detecting 'third parties' trying to break in over the weekend.
Indeed, experts warn the threat to companies from remote work is only rising with the advent of generative AI, the technology behind chatbots. Not only is it making social engineering easier, both in terms of scale and its believability, but it is also inadvertently giving away vast swathes of confidential company data to third parties that in-house security teams have no ability to protect.
'Hybrid work has made enforcing security standards a minefield,' says Arkadiy Ukolov, co-founder of Ulla Technology. 'Employees increasingly rely on AI-powered tools such as ChatGPT – often outside corporate oversight – unaware that these systems may quietly harvest client data to train their models. This opens doors to data leakages where third parties gain access to very sensitive information.'
'The risk isn't theoretical – it's happening in the background, right now,' he adds. In response, the London-based firm has developed an AI-powered assistant that can be integrated into a company's infrastructure to keep the data private. 'The most vulnerable industries are the legal sector, government departments and the NHS.
'Their employees manage highly sensitive information such as intellectual property, corporate secrets and medical documents on a daily basis. For them, poorly managed hybrid working systems pose an existential security threat.'

Orange background

Try Our AI Features

Explore what Daily8 AI can do for you:

Comments

No comments yet...

Related Articles

Everything we know about the two hacker groups who carried out M&S cyberattack
Everything we know about the two hacker groups who carried out M&S cyberattack

The Independent

time6 hours ago

  • The Independent

Everything we know about the two hacker groups who carried out M&S cyberattack

Marks & Spencer has resumed online orders after a cyberattack that is expected to cost the retailer £300 million in profits this year. The cyberattack, which M&S disclosed on April 22, disrupted online operations and halted contactless payments, potentially compromising customer data. Two hacker groups, DragonForce and Scattered Spider, have been linked to the attack; DragonForce reportedly demanded ransom, while Scattered Spider is known for social engineering tactics. M&S revealed last month that the attack was caused by 'human error'. The National Cyber Crime Unit (NCA) is investigating the cyber incidents affecting the retail sector and encourages businesses to implement effective cybersecurity measures.

Delinquent Auto Loans Reach a Record High in Q1 2025
Delinquent Auto Loans Reach a Record High in Q1 2025

Auto Blog

time6 hours ago

  • Auto Blog

Delinquent Auto Loans Reach a Record High in Q1 2025

A new report reveals that more people are failing to pay their car notes this past quarter since the recession. Car ownership is not a cheap activity these days A wave of thick air currently surrounds the new and used car market, as trade tariffs and other factors make cars not only more expensive to buy, but also to keep running. According to data from S&P Global Mobility, the average age of a car in the United States is 12.6 years old, and everything about owning a car feels more expensive these days. Insurance premiums are high, a visit to the mechanic for repairs is a costly endeavor, and even gas can cost an arm and a leg if you own a real gas guzzler. However, some people end up so fed up that they bite the bullet and get themselves a new or new-to-them set of wheels. If they don't have all the cash up front, they sign up for a car loan; however, new data shows that more Americans are falling behind on their car payments, too. A Ford Mustang is seen at a used car dealership in Montebello, California, on May 5, 2025. — Source: FREDERIC J. BROWN/AFP via Getty Images Auto loan borrowers of all stripes are feeling the heat In a new report from TransUnion, one of the three largest credit agencies, along with Experian and Equifax, 1.4% of auto borrowers were at least 60 days behind on their auto loan payments during the first quarter of 2025. While this might seem like a minor issue, it is noteworthy because it is the highest delinquency rate for the first quarter ever, higher than last year's figures and even those seen during the recession, specifically the first quarter of 2009. It shows that borrowers still feel the aftereffects of pandemic-era auto lending on different types of loans. Borrowers who financed used cars were found to be the most problematic. TransUnion found that 1.9% of used car borrowers were 60 days late on their payments, slightly higher than the 1.8% figure from the previous year. Though it may seem insignificant, it proves a concerning trend within an already challenging landscape. On the other hand, borrowers who financed new cars maintained a steady delinquency rate of 0.6%. As of the first quarter, the average balance of an auto loan rose to $24,413, a 1.6% year-over-year increase from last year. This comes as cars become more expensive, higher interest rates impact borrowers, and extended loan terms (longer than 72 months) become the norm. Autoblog Newsletter Autoblog brings you car news; expert reviews and exciting pictures and video. Research and compare vehicles, too. Sign up or sign in with Google Facebook Microsoft Apple By signing up I agree to the Terms of Use and acknowledge that I have read the Privacy Policy . You may unsubscribe from email communication at anytime. Ford trucks are seen at a car dealership in Montebello, California on May 5, 2025. A problem that started during the pandemic Some blame for today's auto loan delinquency rate falls on loans made in 2022, when car prices were high and credit conditions were stunted. Back then, the federal stimulus checks and unusually high credit scores made many borrowers look better on paper than they were, leading to many getting approved for loans that would've otherwise been risky for lenders. Additionally, owning a reliable vehicle has become more expensive. Satyan Merchant, an automotive and mortgage business leader at TransUnion, notes that a rise in car insurance premiums, maintenance costs, and gas prices significantly contributes to missed payments rather than uncontrolled borrowing or a poor sense of budgeting. Erik Laney, the CFO of Santander Consumer USA, also echoes this concern. During remarks at the Auto Finance Summit East on May 13, he said that the auto finance sector is experiencing a 'fairly unique' stress level. Auto loans experienced an increase in delinquencies compared to other types of debt, such as credit cards, because they were disproportionately affected by recent events, including fluctuations in used-vehicle prices. He pointed out that as a result, some buyers are making payments on car loans that outweigh the actual value of these cars. As these values decline and owners face financial pressure, these loans will begin to show their cracks. The Fed weighs in A recent report from the Federal Reserve Bank of New York adds more color. The New York Fed's analysis, which also included data from Equifax, another credit bureau, revealed an increase in total auto debt and a rise in auto delinquencies of at least 90 days during the first quarter. Over the past year, auto loan balances increased by 1.6%, bringing the total to $1.6 trillion. However, it's important to note that these balances actually decreased by 0.7% from the fourth quarter of 2024 to the first quarter of this year. This trend has only been observed once in more than a decade. The Federal Reserve also reported that 2.9% of auto loans are now classified as 'seriously delinquent,' meaning they are 90 days or more past due. This is a slight rise from 2.8% a year earlier, but the Fed described the rate as 'stable.' 'Transition rates into serious delinquency have leveled off for both credit card and auto loans over the past year,' New York Fed economist Daniel Mangrum said in a May 13 statement. A line of Mustangs at a San Diego, California car dealership — Source: Getty Final thoughts This type of news highlights just how important it is to approach car buying responsibly and plan financially, especially if you're considering a purchase in 2025 of either a new model or a pre-owned vehicle. It's truly important to take a step back and thoughtfully evaluate your financial situation and set a budget that you can actually comfortably afford. I get it: a new or new-ish car can be incredibly tempting, but in today's auto financing landscape, you must take a closer look at any plan that comes with a payment. The proof is in the pudding, and the challenges aren't always in the fine print. By being diligent, you can protect yourself from potential hurdles and make a decision that won't wreck you or your credit. About the Author James Ochoa View Profile

DOWNLOAD THE APP

Get Started Now: Download the App

Ready to dive into the world of global news and events? Download our app today from your preferred app store and start exploring.
app-storeplay-store