How working from home made Britain a sitting duck for cyber attackers

Telegraph

01-05-2025

Former M&S boss Lord Stuart Rose has long branded himself an 'unreconstructed get-back-to-work man', claiming the practice of working from home is damaging both the economy and employees' wellbeing.
Now, the 76-year-old businessman may have another reason to oppose remote working – with the arrangement possibly putting one of Britain's best-loved retailers, and his former employer, at the mercy of hackers.
Since Easter weekend, M&S has been reeling from a major cyber attack that has paralysed online orders, disabled contactless payments in-store, and wiped nearly £700 million off its market value.
And M&S is not the only retailer that has been subjected to such an attack. Earlier this week, the Co-op said it was having to fend off hackers and, on Thursday evening, luxury department store Harrods said they had 'recently experienced attempts to gain unauthorised access to some of their systems'. In a statement, the store added: 'Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites.'
Harrods said all its stores remained open and it is unknown if the three attacks are related.
Though M&S bosses have yet to reveal the cause, questions are mounting over whether the hackers were able to penetrate the multibillion-pound firm's cyber defences through one of its remote workers.
It would not be a surprise as for years security experts and intelligence agencies have warned that hackers are targeting remote workers as the weakest link in the chain in a company's digital infrastructure.
Indeed, just last year the retailer – which is understood to allow staff to work two days a week at home – warned in its annual report that WFH was increasing its exposure to cyber attacks.
But why? The answer is simple – computers in most corporate offices have a vast array of tough defences installed to keep bad actors out, from firewalls to secure internet routers, all of which are kept under close watch by the on-site security team.
Yet such protection wanes as soon as staff are out the revolving doors. Suddenly, the onus falls instead on the employee, whether it's keeping their devices updated or being vigilant when using unsecured public WiFi while working in cafes.
A survey by Malwarebytes Lab, carried out around six months after the first Covid lockdown, found one in five businesses had faced a security breach as a result of a remote worker.
Four years later, a poll by Absolute Security in 2024 revealed three out of four bosses still believed staff working from home was their 'biggest weakness' when trying to defend against cyber attacks.
How do the hackers get in?
Experts believe M&S was infected by a ransomware called Dragonforce, a malicious software that locks a user out of their computer or network and scrambles the data – with the criminals demanding a fee to unlock it.
In its rush to contain the attack, M&S bosses quickly moved to lock remote-working staff out of the company's internal IT systems. But could these remote workers have also been the crucial weakness that let the hackers in?
To infect a computer, hackers need to find a chink in digital defences – and staff working from home can often be easy prey. A common target is through a virtual private network (VPN), used by remote employees to securely connect to their office networks.
Such software is only useful if it's kept up-to-date and uses multi-factor authentication, which requires several forms of verification to access. In 2021, investigators traced the huge ransomware attack that took down the Colonial Pipeline – which supplies 45 per cent of United States' fuel on the East Coast – to an old version of a VPN account commonly used by remote employees.
The same year, a hacker gained control of the Oldsmar water treatment plant in Florida, and tried to poison the supply by increasing the chemical content, through a remote access software called TeamViewer. All the plant's computers were using the same password for remote access, and were running on an outdated Windows operating system.
In other words, both were ripe for exploitation. In 2022, an alert by the Five Eyes intelligence alliance warned that the Microsoft software, Remote Desktop Protocol (RDP), that linked 'millions' of Britons to their company networks, was 'one of the top ways' Russian hackers could potentially gain a crucial foothold within critical infrastructure, from the NHS to nuclear power stations.
Yet often, the real weakness is not a system flaw but the people behind the systems – either the security team or the employees themselves. One of the most popular methods of gaining unauthorised access is 'social engineering', which involves tricking humans into compromising their security.
Such tactics were used in the attack on Twitter in July 2020 when a 17-year-old boy was able to gain access to 130 celebrity Twitter accounts – including Barack Obama, Kim Kardashian, and its future owner Elon Musk – to promote a Bitcoin scam.
An investigation by the New York State Department of Financial Services found the teen had 'directly exploited Twitter's shift to remote working' by calling up employees and pretending to be from the IT department to get access to the internal systems.
Who carried out the M&S attack?
Earlier this week it was revealed the Met Police are investigating whether the M&S attack was carried out by a hacking collective called Scattered Spider. The group first appeared in 2022 and have already been linked to more than 100 targeted attacks, including US casino operator Caesars, which paid over £11 million to restore its network.
Unlike the majority of such gangs, who are generally based in places such as Russia, the group are English-speaking and known to include UK and US citizens, some as young as 16. Their motivation is said to be as much about bragging rights as money.
According to the FBI, the group's modus operandi is tricking people into letting them into their systems, from impersonating IT staff to 'sim swapping', a tactic in which a fraudster persuades their victim's mobile provider to transfer the phone number to a sim card under their control.
'Scattered Spider have been linked to dozens of attacks over the last few years and their clever tactics often target the human element,' Jake Moore, global security advisor at cybersecurity software company ESET, tells The Telegraph. Moore points to remote workers in particular as a potential target. 'Working from home adds yet another attack entry point which has limited control.'
'Hybrid work has made enforcing security standards a minefield'
He reveals how, as a test, he once hacked into the work account of a superintendent simply by calling the Police HQ help desk. 'They asked me two security questions, which were easy to find out the answers to online – vehicle registration and shoulder number – and then I was able to convince them I was the superintendent and had forgotten my password after being on holiday for two weeks.
'They reset the password to a new string of text and gave me the password over the phone. I then logged in and had full access to the police networks. At this point I made the chief constable aware of this vulnerability.'
The heightened danger of WFH on M&S's cybersecurity is not a view shared by all however. 'That's total BS as far as I'm concerned,' says Ciaran Martin, ex-chief executive of the UK's National Cyber Security Centre (NCSC). 'I don't have a strong view on either side of the culture war, but it's not a thing, so far as I understand the details in this incident specifically.
'I was head of the NCSC when lockdown one happened, and I was stunned at how little rise there was in cyber harm when we went on an unplanned, short-notice experiment in home working. Turns out the bring your own device security and other remote working things we'd been doing for years before 2020 worked pretty well. We have many systemic problems in cyber security but remote working isn't on my list!'
But the NCSC is clearly aware of the vulnerabilities, saying in an advisory note published in April 2020 that 'the surge in home working has increased the use of potentially vulnerable services… amplifying the threat to individuals and organisations'.
Often, remote workers are the first in line to have their access removed from internal systems when there is an attack – suggesting security teams are wary of the threat. As it battled to contain damage from its cyber attack, on Wednesday, Co-op told staff they could no longer log on to the company's IT system from home, a 'proactive measure' it explained after detecting 'third parties' trying to break in over the weekend.
Indeed, experts warn the threat to companies from remote work is only rising with the advent of generative AI, the technology behind chatbots. Not only is it making social engineering easier, both in terms of scale and its believability, but it is also inadvertently giving away vast swathes of confidential company data to third parties that in-house security teams have no ability to protect.
'Hybrid work has made enforcing security standards a minefield,' says Arkadiy Ukolov, co-founder of Ulla Technology. 'Employees increasingly rely on AI-powered tools such as ChatGPT – often outside corporate oversight – unaware that these systems may quietly harvest client data to train their models. This opens doors to data leakages where third parties gain access to very sensitive information.'
'The risk isn't theoretical – it's happening in the background, right now,' he adds. In response, the London-based firm has developed an AI-powered assistant that can be integrated into a company's infrastructure to keep the data private. 'The most vulnerable industries are the legal sector, government departments and the NHS.
'Their employees manage highly sensitive information such as intellectual property, corporate secrets and medical documents on a daily basis. For them, poorly managed hybrid working systems pose an existential security threat.'