> M&S chair, told MPs that hackers had used “sophisticated impersonation” to gain entry “involving a third party.”
20 bucks says this sophisticated impersonation was social engineering a $5/hour outsourced customer support employee
> The attack is expected to lower operating profits by up to £300mn this year.
that's not counting the reputation and brand damage. M&S is seen as a premium retailer and this whole hack made them seem utterly incompetent and unreliable
> had decided to opt for another service provider after the process had completed
i wonder where this other provider is based. i think i'm gonna place another 20 bucks on this.
> The retailer continues to use the Indian group for other services.
>20 bucks says this sophisticated impersonation was social engineering a $5/hour outsourced customer support employee
0 bucks says this below list of data breaches is much much more devastating. 0 bucks, because I don't have to bet on it, unlike you, because it's true:
>This is a list of reports about data breaches, using data compiled from various sources, including press reports, government news releases, and mainstream news articles. The list includes those involving the theft or compromise of 30,000 or more records, although many smaller breaches occur continually. Breaches of large organizations where the number of records is still unknown are also listed. In addition, the various methods used in the breaches are listed, with hacking being the most common.
>Most reported breaches are in North America, at least in part because of relatively strict disclosure laws in North American countries.[citation needed] 95% of data breaches come from government, retail, or technology industries.[1] It is estimated that the average cost of a data breach will be over $150 million by 2020, with the global annual cost forecast to be $2.1 trillion.[2][3] As a result of data breaches, it is estimated that in first half of 2018 alone, about 4.5 billion records were exposed.[4] In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale.[5] In January 2024, a data breach dubbed the "mother of all breaches" was uncovered.[6] Over 26 billion records, including some from Twitter, Adobe, Canva, LinkedIn, and Dropbox, were found in the database.[7][8] No organization immediately claimed responsibility.[9]
>In August 2024, one of the largest data security breaches was revealed. It involved the background check databroker, National Public Data and exposed the personal information of nearly 3 billion people.[10]
>that's not counting the reputation and brand damage. M&S is seen as a premium retailer and this whole hack made them seem utterly incompetent and unreliable
>>The retailer continues to use the Indian group for other services.
>lol.
>is seen
lol. a lot of things are seen as blah blah. doesn't mean they are blah blah.
google is seen as a world leading tech company. yet see how HNers regard them (except those desperate for FAANG salaries).
If they hired their vendors without due diligence, they may be incompetent and unreliable themselves. On the other hand:
>> M&S chair, told MPs that hackers had used “sophisticated impersonation” to gain entry “involving a third party.”
If the impersonation was sophisticated, maybe it was not so much the fault of TCS?
If it was a Western company, would you talk / think the same?
It's perfectly believable. Whether it is more believable or not is a toss up. If you employ such a large number of people there are bound to be a couple of bad apples, and unless you have very good internal processes and monitoring it isn't all that hard to imagine someone doing something they shouldn't be doing. But absent hard evidence that it happened that way it interesting speculation but no more than that, besides, it can be impossible to distinguish between the two even if you have evidence of an inside job that looks like incompetence!
One of the problems with incompetence, of which there are many, is that it gives bad actors space to operate. From a security point of view I don’t think the distinction matters all that much.
That said, the situations I’ve head about were from affiliate ransomware attacks that didn’t make the news because the backup worked. It’s difficult to keep things secure from highly motivated internal bad actors. I’ve been told it’s an increasing trend but have not heard much about it publicly.
The challenge is this though: companies that are outsourcing to these consultancy firms put them against each other in RFPs that incentivise whatever behaviour can get them to the lowest bid.
Inevitably quality suffers. Until customers start awarding business based on something other than the number at the bottom, this kind of thing will continue.
Note that M&S dropped TCS in July following the recovery. https://www.ft.com/content/289ec371-2ed4-425a-9bd0-c34e6db39... and elsewhere.
> M&S chair, told MPs that hackers had used “sophisticated impersonation” to gain entry “involving a third party.”
20 bucks says this sophisticated impersonation was social engineering a $5/hour outsourced customer support employee
> The attack is expected to lower operating profits by up to £300mn this year.
that's not counting the reputation and brand damage. M&S is seen as a premium retailer and this whole hack made them seem utterly incompetent and unreliable
> had decided to opt for another service provider after the process had completed
i wonder where this other provider is based. i think i'm gonna place another 20 bucks on this.
> The retailer continues to use the Indian group for other services.
lol.
I doubt many people shopping for a sandwich and an unfashionable suit will be thinking about the M&S hack.
> M&S is seen as a premium retailer and this whole hack made them seem utterly incompetent and unreliable
Hiring TCS to begin with made them seem utterly incompetent and unreliable.
Let them fail and be a warning to other companies trying to cheap out on IT.
>20 bucks says this sophisticated impersonation was social engineering a $5/hour outsourced customer support employee
0 bucks says this below list of data breaches is much much more devastating. 0 bucks, because I don't have to bet on it, unlike you, because it's true:
>https://en.wikipedia.org/wiki/List_of_data_breaches
>This is a list of reports about data breaches, using data compiled from various sources, including press reports, government news releases, and mainstream news articles. The list includes those involving the theft or compromise of 30,000 or more records, although many smaller breaches occur continually. Breaches of large organizations where the number of records is still unknown are also listed. In addition, the various methods used in the breaches are listed, with hacking being the most common.
>Most reported breaches are in North America, at least in part because of relatively strict disclosure laws in North American countries.[citation needed] 95% of data breaches come from government, retail, or technology industries.[1] It is estimated that the average cost of a data breach will be over $150 million by 2020, with the global annual cost forecast to be $2.1 trillion.[2][3] As a result of data breaches, it is estimated that in first half of 2018 alone, about 4.5 billion records were exposed.[4] In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale.[5] In January 2024, a data breach dubbed the "mother of all breaches" was uncovered.[6] Over 26 billion records, including some from Twitter, Adobe, Canva, LinkedIn, and Dropbox, were found in the database.[7][8] No organization immediately claimed responsibility.[9]
>In August 2024, one of the largest data security breaches was revealed. It involved the background check databroker, National Public Data and exposed the personal information of nearly 3 billion people.[10]
>that's not counting the reputation and brand damage. M&S is seen as a premium retailer and this whole hack made them seem utterly incompetent and unreliable
>>The retailer continues to use the Indian group for other services.
>lol.
>is seen
lol. a lot of things are seen as blah blah. doesn't mean they are blah blah.
google is seen as a world leading tech company. yet see how HNers regard them (except those desperate for FAANG salaries).
If they hired their vendors without due diligence, they may be incompetent and unreliable themselves. On the other hand:
>> M&S chair, told MPs that hackers had used “sophisticated impersonation” to gain entry “involving a third party.”
If the impersonation was sophisticated, maybe it was not so much the fault of TCS?
If it was a Western company, would you talk / think the same?
Nahi. Non. Nein. Nyet. Nada.
lol.
At what point is it more believable that these are inside jobs done on purpose vs. incompetence? I guess that’s just Hanlon’s Razor though.
Based on my experience working alongside TCS, incompetence seems far more likely. If we'd asked for a back door, we'd have gotten a solid wall.
Then again, my experience may have left me a little jaded.
It's perfectly believable. Whether it is more believable or not is a toss up. If you employ such a large number of people there are bound to be a couple of bad apples, and unless you have very good internal processes and monitoring it isn't all that hard to imagine someone doing something they shouldn't be doing. But absent hard evidence that it happened that way it interesting speculation but no more than that, besides, it can be impossible to distinguish between the two even if you have evidence of an inside job that looks like incompetence!
I have heard there is a growing trend of hackers paying kickbacks to insiders, certainly makes hacking easier.
Having worked with Indian consultancy firms for over 10 years. I can safely say security attitudes and practices haven't changed much.
There's always this culture of taking shortcuts at the expense of security and quality.
One of the problems with incompetence, of which there are many, is that it gives bad actors space to operate. From a security point of view I don’t think the distinction matters all that much.
That said, the situations I’ve head about were from affiliate ransomware attacks that didn’t make the news because the backup worked. It’s difficult to keep things secure from highly motivated internal bad actors. I’ve been told it’s an increasing trend but have not heard much about it publicly.
The challenge is this though: companies that are outsourcing to these consultancy firms put them against each other in RFPs that incentivise whatever behaviour can get them to the lowest bid.
Inevitably quality suffers. Until customers start awarding business based on something other than the number at the bottom, this kind of thing will continue.
When you pay your support employees so little, it's not difficult for someone from a wealthier place to bribe them.