In this episode of Cybersecurity Today, host Jim Love discusses major updates on the recent cyber attack on Marks and Spencer, revealing new details and arrests. The breach involved sophisticated social engineering that infiltrated the company's network through an IT service provider, leading to 150GB of stolen data. Love then covers a massive insider breach at a Brazilian bank where an IT worker facilitated the theft of $140 million by selling login credentials. Lastly, the episode highlights a McDonald's HR data breach caused by weak security practices in an AI screening app, exposing millions of job applicant records. Key insights on these incidents emphasize the importance of robust cybersecurity measures and internal controls.
00:00 Introduction and Headlines
00:20 Marks and Spencer Hack: New Developments
04:07 Brazilian Bank Breach: An Inside Job
06:40 McDonald's HR Data Breach: A Comedy of Errors
10:21 Conclusion and Upcoming Features
Episode Transcript
Two big updates on the recentmarks and Spencer Hack.
A Brazilian bank breach is an insidejob and McDonald's HR data was
made vulnerable, not by artificialintelligence, but by a singular
lack of developer intelligence.
This is cybersecurity today.
I'm your host, Jim Love.
Two big updates on the marks and Spencerstory Marks and Spencer have provided some
(00:25):
additional facts in testimony before aparliamentary investigation, which shed
some light on the attack that took outthe retail giant in the UK and spread
from the UK to North America as well.
Secondly, it appears thatpolice have made some arrests.
The BBC is reporting that four peoplehave been arrested by police in the
(00:47):
National Crime Agency investigation ofthe attacks on Marks and Spencers and
the other retailer Co-op in the UK.
A 20-year-old woman and three males aged17 and 19 were detained in the London
and West Midlands areas in the uk.
The 19-year-old is from Latviaand the 17-year-old and the woman
(01:07):
arrested are both from the UK.
the police, arrested them at theirhomes in quiet suburban areas and
seized their equipment as well.
Paul Foster head of the NCA saidit was a significant step in the
investigation, but they are continuingto work with partners in the UK and
overseas indicating there may be more tocome and that would be very good news.
(01:30):
Indeed, Marks and Spencer and co-opwere just the start of a wave of
similar attacks that have spreadfrom the UK into North America.
And meanwhile, Marks and Spencerreleased more information about how
the cyber criminals infiltrated theirnetwork back in April, and their
carefully worded testimony suggeststhey may have quietly paid the ransom.
(01:54):
Marks and Spencer Chairman ArchieNorman revealed to parliament this
week that the breach began with socialengineering, which he described as
sophisticated impersonation, threatactors posed as one of the company's
employees to trick a third partyhelp desk into resetting a password.
That third party was reportedly itoutsourcing giant Tata Consulting
(02:18):
Services, which handles Marksand Spencer's technical support.
Norman went out of his way to say,this wasn't just a simple phishing
email, it was a sophisticated attack.
He said they appeared as somebodywith their details and the attackers
had done their homework on Marks andSpencer's internal systems and personnel.
(02:39):
The attack was initially attributed tothe Dragon Force Ransomware operation
believed to be operating from Asia,ultimately forcing Marks and Spencer
to shut down all their systems.
Sources told Bleeping Computerthat approximately 150 gigabytes
of data was stolen and numerousVMware, ESXI servers were encrypted.
Dragon Force typically employs thesedouble extortion tactics, stealing
(03:04):
data, and threatening to publish itunless ransoms are paid, but months
later, dragon Force has not made anentry on their data leak site for Marx
and Spencer, which seems to indicatethat Marx and Spencer paid the ransom.
But on that point, Normanwas a little evasive.
When Parliament pressed him about Ransompayments, his response was revealing.
(03:27):
He said that Marks and Spencertook a hands-off approach, leaving
negotiation to professionals whohave experience in the matter.
Likely referring to specializedransomware negotiation firms when
directly asked if they paid Norman.
Again, deflected saying they weren'tdiscussing details publicly, but they
(03:48):
had shared everything with authorities.
we'll have more on this story on ourweekend edition, where our panel will
feature an expert on ransomware groupsand some insights into the worldwide
network called Scattered Spider.
That may be a part of this attack as well.
I.
Brazil's financial sector is stillreeling from a devastating cyber
(04:11):
attack that demonstrates how a singleemployee can trigger a massive security
breach, and in this case, lead tothe theft of over 140 million from
the country's central banking system.
C and m software, which provides thecritical bridge services connecting
Brazil's Central Bank to localfinancial institutions revealed on
(04:33):
June 30th that hackers had stolen 800Brazilian reals, approximately $140
million from the reserve accountsof six financial institutions.
The attack was so severe thatBrazil's Central Bank immediately
suspended access to the c and m'ssoftware platform for all local
banks while investigating the breach.
(04:55):
But the real shock came when policearrested the person who made it possible.
a 48-year-old IT worker who workedon backend systems at CNM Software,
allegedly sold login credentials tohackers for approximately $2,700,
granting them unauthorized accessto the critical financial systems.
(05:19):
The payout was a tiny fraction ofwhat the criminals ultimately stole.
And according to police rock's, storyreads like a low budget thriller.
He claims cyber criminals firstapproached him in March as he was
leaving a Sao Paulo bar, and then laterreceiving instructions via WhatsApp and
payments through motorcycle couriers.
(05:40):
He reportedly changed his mobilephone every 15 days in a futile
attempt to avoid being tracked.
We say futile because policeidentified him and arrested him.
Now, the good news, the stolen moneycame from reserve accounts used by
financial institutions to exchangefunds between themselves rather
than customer accounts, meaningthe public isn't directly impacted.
(06:04):
Brazilian authorities have since frozen$50 million linked to the incident.
But the case highlights a criticalvulnerability in financial
infrastructure, the insider threat.
No matter how sophisticated yourexternal security, a single employee
with access to sensitive systems canpotentially compromise everything for
(06:28):
a financial institutions worldwide.
This incident underscores the needfor stronger internal controls and
monitoring of privileged access.
McDonald's, the Fast Food Giantsembrace of AI screening has
backfired spectacularly with hackersaccessing years of job applicant
(06:51):
data through security flaws.
So basic, they're almost embarrassing.
We'll be clear on this story.
The use of AI is not the problem.
It's not artificial intelligencethat's at issue, but dare we
say, a lack of intelligencefrom the creators of this app.
We try to be charitable.
Anybody can make a mistake, but 1,2, 3, 4, 5 as an admin password.
(07:16):
Who's the securityadministrator on this system?
The clown.
McDonald's uses an AI chatbot calledOlivier to screen job applicants
through its Machir platform.
And that platform was builtby AI firm paradox.ai.
Olivia handles everything fromcollecting contact information to
(07:39):
directing personality tests, but untillast week, the system had a problem.
Virtually anybody could hack into it.
Security researchers, Ian Carrolland Sam Curry discovered they could
access the backend of McDonald's hiringplatform using tricks as simple as
guessing the administrator passwords.
(08:00):
We'd love to say that Sam and Ianhad some great technical ability or
practiced some sophisticated socialengineering, or that they were
the Hamburg burglars of security.
But the truth is the passwordswere insanely easy to guess.
The worst example reportedly an adminaccount was secured with the password.
1, 2, 3, 4, 5, 6. A combination soweak that it ranks among the world's
(08:25):
most commonly used stupid passwords.
The breach exposed what appears to be 64million records containing applicant's
names, email addresses, and phone numbersfrom years of McDonald's job applications.
Carol said he stumbled onto this goldmine of personal data within just 30
(08:45):
minutes of starting his investigation.
Carol explained, I just thoughtit was pretty uniquely dystopian
compared to a normal hiring process.
So I started applying for a job and thenafter 30 minutes we had full access to
virtually every application that's everbeen made to McDonald's going back years.
(09:06):
Now the vulnerability highlights a growingconcern as companies rush to deploy AI
systems without proper security oversight.
paradox.ai has since acknowledgedthe breach and claims the weak
password account was not accessedby any third party other than the
researchers who discovered it.
(09:26):
McDonald's tried to quickly distancethemselves from responsibility, calling
the vulnerability unacceptable andblaming their third party vendor.
The company said the issuewas resolved the same day it
was reported for job seekers.
This incident serves as a stark reminderthat even routine activities like applying
for work can expose personal informationif companies prioritize innovation.
(09:52):
Over security fundamentals and forcompanies, it's a warning that just
because a company seems to know a lotabout AI or has a URL that ends in.ai,
don't assume that they have what it takesto properly implement and secure a system.
And McDonald's might have been ableto hold the vendor responsible, but
(10:14):
as all security professionals know,you cannot delegate accountability.
And that's our show.
Stay tuned this weekend for a month inreview and some in-depth discussions
about some of the big securityissues and stories from this month.
Catch it on Saturday morning or wheneveryou listen to long form podcasts.
(10:36):
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!