Scattered Spider and retail service desks: what IAM teams missed

TL;DR: Scattered Spider exploited weak service desk processes and privileged access paths at a third-party IT provider to pivot into Marks & Spencer and other retailers, with the M&S campaign leading to months of undetected access, ransomware deployment, and more than $400 million in lost profit, according to 1Kosmos. The breach shows that inherited vendor trust, not perimeter controls, is the failure point in modern retail identity governance.

NHIMG editorial — based on content published by 1Kosmos covering the Marks & Spencer and Scattered Spider supply chain identity breach: A Scattered Spider attack exploited systemic service desk flaws and weak privileged access controls. Here's how to shut the door for good

By the numbers:

• more than $400 million in lost profit
• more than 60% of consumers would stop shopping with a brand that suffered a security incident

Questions worth separating out

Q: How should organisations handle vendor service desk access that can reset or elevate privileged accounts?

A: Treat vendor service desk access as privileged access, not ordinary support.

Q: Why do third-party support relationships increase ransomware risk?

A: Because attackers can abuse trusted support workflows to gain legitimate-looking access without breaking perimeter controls.

Q: What do security teams get wrong about MFA when service providers are involved?

A: They assume MFA alone can stop abuse of trusted support paths.

Practitioner guidance

• Reclassify vendor support as privileged access Map every third-party service desk action that can reset credentials, approve sessions, or change entitlements, and assign it the same review depth as administrator access.
• Require fresh identity verification for vendor-originated elevation Do not allow vendor role, VPN state, or inherited session context to authorise high-risk changes.
• Separate support identity from execution rights Ensure a help desk account cannot directly move from request handling to privileged execution without additional controls, approval logging, and traceable session binding.

What's in the full article

1Kosmos's full analysis covers the operational detail this post intentionally leaves for the source:

• The vendor-side service desk failure chain that enabled the initial compromise and why support workflows became the access pathway.
• The identity verification controls the source says would have blocked delegated access before client systems were reached.
• The specific privileged access and authentication mechanisms discussed in the article, including identity-based verification and step-up checks.
• The retailer-focused remediation framing that connects vendor trust, MFA bypass, and support desk governance.

👉 Read 1Kosmos's analysis of the Marks & Spencer supply chain identity breach →

Scattered Spider and retail service desks: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →