Retailer cyber attacks: 'Food terrorism', data breached, a falling share price and a CEO out of pocket

News broke last night of another UK food sector producer and retailer impacted by a growing wave of cyber-attacks and ransomware incidents potentially linked to the threat actor Scattered Spider.

Peter Green Chilled transports food to supermarkets including Tesco, Sainsbury's and Aldi, and confirmed it had been hit by a ransomware attack, highlighting growing vulnerabilities in supply chain cybersecurity.

The UK has faced a barrage of cyber-attacks in the last month with media claiming the retail sector is being 'brought to its knees' whilst the Legal Aid Agency also suffered a major breach that could leave applicants open to blackmail for sensitive criminal records.

The UK has the current Network and Information Systems (NIS) Regulations 2018 in place to define and regulate five critical industries and some digital services and many feel this does not go far enough, failing to match the European NIS2 update and with many incidents of concern not being reported.

The government published the Cyber Security and Resilience Bill in April noting the country faced "unprecedented threats" and this may be accelerated given recent events.

Case study: Marks and Spencer

Iconic retailer M&S suffered a major cyber-attack in late April and the downstream impacts to shoppers have been noted with millions of pounds of lost sales and struggles to ensure supplies reach local stores.

The source of the incident has not yet been confirmed but residents in Guernsey interviewed by the BBC have described attacks on UK supermarkets as "food terrorism" with shelves left empty and shoppers struggling.

Media coverage over the last month has highlighted a significant customer data breach, the share price falling as much as 14% and a CEO potentially £1m out of pocket based on company performance. One UK law firm is now actively progressing a class action lawsuit against the company following the data exfiltration.

The scale of events in the UK is a reminder of the constant cat and mouse game between attackers and defenders. It would seem that more needs to be done stratgeically to address failings across critical supply chains with security practitioners adequately resourced to mitigate key business risks.

‍

‍