M&S hackers demand ransom for one billion customer records

A notorious cybercriminal alliance responsible for hacking Marks & Spencer has dramatically escalated its corporate extortion campaign. 

Claiming to have stolen one billion customer records from 39 major companies, Scattered Lapsus$ Hunters  – an alliance of Scattered Spider, Lapsus$, and ShinyHunters – has set a deadline of October 10 for a ransom payment. They threaten to publicly release the massive trove of data if their demands are not met.

The list of claimed victims reads like a directory of global commerce, with the hackers asserting they infiltrated the systems of giants including Disney, FedEx, Google, Ikea, McDonald’s, Toyota, and Qantas Airways.

The hackers claim the data was exfiltrated from systems hosted by Salesforce, a leading software giant, and accuse the company of “criminal negligence” for allegedly failing to block the intrusions.

However, Salesforce has vehemently denied that its core platform was compromised. A spokesperson stated that their findings indicate the threats relate to “past or unsubstantiated incidents,” and that the activity is not tied to any technical vulnerability in their technology.

Salesforce attributes the breaches instead to highly sophisticated social engineering attacks directed at individual client companies. Social engineering is a deceptive tactic where hackers manipulate employees into divulging confidential information, often by impersonating IT support personnel via phone calls or emails.

Google, one of the alleged victims, detailed this methodology, explaining that the group had “repeated success in breaching networks by having its operators impersonate IT support personnel.”

This approach specifically targeted employees in English-speaking branches of multinational corporations, ultimately facilitating the theft of customer and corporate data hosted on Salesforce systems.

The group, built around the Scattered Spider hackers, has caused an estimated hundreds of millions of pounds worth of damage to victims across various sectors. With the October 10 deadline looming, the risk of a massive data leak is acute.

The hackers reportedly shared samples of the stolen data on their Telegram page, asserting the records were gathered during a months-long campaign against the firms.

The decision by corporations and Salesforce to attribute the leaks to social engineering highlights the difficult security challenge facing multinational companies, where even robust platforms can be undermined by human error and highly sophisticated deception.