TL;DR: Scattered Spider exploited weak service desk processes and privileged access paths at a third-party IT provider to pivot into Marks & Spencer and other retailers, with the M&S campaign leading to months of undetected access, ransomware deployment, and more than $400 million in lost profit, according to 1Kosmos. The breach shows that inherited vendor trust, not perimeter controls, is the failure point in modern retail identity governance.
NHIMG editorial — based on content published by 1Kosmos covering the Marks & Spencer and Scattered Spider supply chain identity breach: A Scattered Spider attack exploited systemic service desk flaws and weak privileged access controls. Here's how to shut the door for good
By the numbers:
- more than $400 million in lost profit
- more than 60% of consumers would stop shopping with a brand that suffered a security incident
Questions worth separating out
A: Treat vendor service desk access as privileged access, not ordinary support.
Q: Why do third-party support relationships increase ransomware risk?
A: Because attackers can abuse trusted support workflows to gain legitimate-looking access without breaking perimeter controls.
Q: What do security teams get wrong about MFA when service providers are involved?
A: They assume MFA alone can stop abuse of trusted support paths.
Practitioner guidance
- Reclassify vendor support as privileged access Map every third-party service desk action that can reset credentials, approve sessions, or change entitlements, and assign it the same review depth as administrator access.
- Require fresh identity verification for vendor-originated elevation Do not allow vendor role, VPN state, or inherited session context to authorise high-risk changes.
- Separate support identity from execution rights Ensure a help desk account cannot directly move from request handling to privileged execution without additional controls, approval logging, and traceable session binding.
What's in the full article
1Kosmos's full analysis covers the operational detail this post intentionally leaves for the source:
- The vendor-side service desk failure chain that enabled the initial compromise and why support workflows became the access pathway.
- The identity verification controls the source says would have blocked delegated access before client systems were reached.
- The specific privileged access and authentication mechanisms discussed in the article, including identity-based verification and step-up checks.
- The retailer-focused remediation framing that connects vendor trust, MFA bypass, and support desk governance.
👉 Read 1Kosmos's analysis of the Marks & Spencer supply chain identity breach →
Scattered Spider and retail service desks: what IAM teams missed?
Explore further
Supply chain identity compromise is now a primary retail attack path. The core issue is not perimeter weakness but delegated trust that allows a third party to act with the retailer's authority. When service desk processes are under-verified, attackers do not need to break in. They only need to present themselves as the trusted intermediary. Retail programmes must treat vendor identity as part of the core control plane, not as an external exception.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
A question worth separating out:
Q: Who is accountable when a third-party service desk is used to reach client systems?
A: Accountability is shared, but the client remains responsible for the access it accepts into its environment. Governance frameworks such as NIST CSF and zero trust require the buyer to verify that external support access is authenticated, approved, monitored, and revocable. Delegation does not transfer ownership of the risk.
👉 Read our full editorial: Scattered Spider exposed vendor trust gaps in retail service desks