After M&S: Addressing Identity Verification in Critical National Infrastructure (CNI)

In April 2025, Marks & Spencer (M&S) became the most visible casualty of a sophisticated identity-based cyber attack. The breach cost the retailer an estimated £300 million in lost operating profit and temporarily wiped more than £700 million from its market value. Not long after, Trustmarque was engaged by a UK-based critical national infrastructure (CNI) organisation to assess their exposure to the same class of attack and guide them through the vendor landscape for identity verification (IDV).

This article shares the key findings from that engagement, explores the wider implications of the attack against M&S, and introduces five security practices that directly address the challenge of IDV.

Background: The 2025 M&S Breach

The M&S cyberattack last April made headlines long into the second half of the year. The root cause was not a zero-day exploit or an unpatched vulnerability; it was a failure at the most human layer of cybersecurity: identity verification at the IT helpdesk.

The attack exposed a flaw that exists in almost every large enterprise: when a person calls the helpdesk claiming to be an employee, how do you know they are who they say they are? For M&S, their methods of verification were inadequate and the consequences catastrophic.

"The attackers posed as an employee –⁠ one of 50,000 people associated with the company –⁠ and successfully manipulated a third-party provider into resetting an internal user's password." Archie Norman, M&S Chairman | UK Parliament Business and Trade Sub-Committee, July 2025

A Wake-Up Call for UK Enterprises

The M&S attack began as early as February 2025, when threat actors, now believed to be the Scattered Spider collective, infiltrated the retailer's network and exfiltrated the Windows domain's NTDS.dit file. This is a critical database containing password hashes for every domain user. By cracking those hashes, the attackers gained a foothold that enabled them to move laterally across M&S's corporate infrastructure over the following weeks, entirely undetected.

The decisive moment, however, was not a technical exploit. It was a phone call. The attackers posed as an M&S employee and successfully manipulated a third-party IT helpdesk contractor (operated by Tata Consultancy Services) into resetting the target account's password. That single act of social engineering bypassed all of M&S's existing multi-factor authentication (MFA) controls.

On April 24, the attackers deployed DragonForce ransomware against M&S's VMware ESXi hosts, encrypting virtual machines that supported e-commerce, payment processing and logistics. Online clothing orders were suspended for 46 days. Food availability was severely disrupted. Approximately 200 warehouse staff were temporarily furloughed. The company's share price fell sharply and its brand trust –⁠ measured at 87% customer recommendation before the attack –⁠ dropped to 73% in its aftermath.

Why The Attack Matters Beyond Retail

The M&S incident was not an isolated retail sector problem. Within weeks, Co-op and Harrods suffered similar attacks from the same threat group. Scattered Spider has since expanded its focus to aviation, insurance, and US retailers. Google Threat Intelligence researchers confirmed the pattern is spreading globally.

For CNI organisations (energy, water, transport, telecoms, and financial services), the stakes are immeasurably higher. A successful social engineering attack against a CNI operator's helpdesk could result not just in financial loss, but disruption to essential services that millions of people depend on. The regulatory consequences under the UK's Network and Information Systems (NIS) Regulations and the evolving NIS2 framework would also be severe.

How We Helped One UK CNI Organisation Respond

Shortly after the M&S breach made headlines, we were approached by a UK-based critical national infrastructure organisation. Their Chief Information Security Officer (CISO) recognised that the existing helpdesk identity verification process, which relied on a combination of employee ID numbers, shared knowledge-based questions, and manager callbacks, would not withstand the techniques used by Scattered Spider.

The Problem

The customer’s challenges were representative of those we see across the CNI sector:

• A large, geographically distributed workforce including contractors and third-party suppliers with privileged access to operational technology (OT) systems
• A high volume of helpdesk calls for password and MFA resets, creating operational pressure that incentivised agents to process requests quickly rather than cautiously
• Existing identity controls that were not designed to withstand AI-generated deepfakes, voice cloning, or sophisticated impersonation
• A complex technology estate mixing legacy on-premises systems with cloud infrastructure, requiring any IDV solution to integrate without disrupting critical operations
• Regulatory obligations under NIS Regulations requiring demonstrable security controls around access to critical system

Our advisory engagement covered three phases: a current-state assessment of their helpdesk verification processes and technology controls; a structured market review of the leading identity verification vendors; and a shortlisting exercise aligned to the organisation's specific risk profile, technical environment, and regulatory requirements.

The Identity Verification Market: Assessing the Solutions Available

The identity verification market has matured rapidly in response to the threat landscape. The category now encompasses far more than document scanning and one-time passcodes. Leading solutions combine biometric liveness detection, AI-powered deepfake resistance, continuous authentication, and integration with enterprise IAM stacks. For CNI organisations in particular, the following capabilities are non-negotiable.

Deepfake and Injection Attack Resistance: The use of AI-generated faces, voices, and synthetic identities has grown dramatically. Any viable solution must be certified to recognised standards such as iBeta Level 2 or Level 3 for Presentation Attack Detection (PAD), and must actively defend against digital injection attacks that bypass the camera entirely.

Helpdesk-Specific Workflows: The M&S attack vector was the IT helpdesk. Solutions must integrate directly into helpdesk workflows — whether ServiceNow, Jira Service Management, or bespoke platforms — enabling agents to trigger a real-time identity verification in seconds without disrupting the support experience.

Self-Service Account Recovery: Reducing the volume of calls that require agent involvement is itself a security control. Enabling employees to verify their own identity and reset their own credentials — under robust IDV controls — removes the human social engineering target from the equation.

Enterprise IAM Integration: Solutions must integrate with existing identity providers such as Microsoft Entra ID, Okta, and Cisco Duo. Standalone point solutions that sit outside the IAM stack create complexity and coverage gaps.

Privacy and Data Sovereignty: For UK CNI organisations, the handling of biometric and personal identity data is subject to strict obligations under UK GDPR and sector-specific regulation. Vendors must offer clear data residency controls, minimal PII retention, and demonstrable compliance with relevant standards including ISO 27001 and SOC 2 Type II.

Speed of Deployment: In the aftermath of a sector-wide alert, organisations need solutions that can be deployed quickly. Vendors who can demonstrate deployment measured in days rather than months — without requiring heavy custom integration work — offer a material advantage.

Our Advisory View

The M&S breach was not a unique event. It was the clearest example yet of a threat that has been building for several years: attackers are increasingly targeting the human and process layers of security rather than purely technical vulnerabilities. The helpdesks, under pressure to resolve tickets quickly and with inadequate tools to verify caller identity, is now one of the most exploited entry points in enterprise cybersecurity.

For UK critical infrastructure organisations, the calculus is straightforward. The cost of deploying robust identity verification is a fraction of the cost of a single successful social engineering attack, even across a complex, hybrid environment. The solutions profiled in this document are mature, deployable, and proven at scale.

Our recommendation to the CNI customer we advised are the same as those we’d share with any UK enterprise operating critical services: treat identity verification not as an IT project but as a board-level security control. The question is no longer whether to invest in this capability, but how quickly you can deploy it and where in your environment the exposure is greatest.

Beyond the board, back on the frontline, the most effective measures for strengthening your IDV include:

• Auditing your helpdesk identity verification process: what checks are agents performing today and could these checks be contravened by a motivated and prepared threat actor?
• Map your highest-risk helpdesk scenarios: password resets. MFA re-enrolment, and privileged access requests are the primary targets
• Evaluate your IAM integration landscape before selecting a vendor. The best IDV solution is one that augments your existing stack rather than adding a parallel silo
• Pilot a solution in a limited scope before full deployment, focusing on scenarios where the consequences of impersonation would be most severe
  

To discuss your organisation's identity verification posture or arrange a briefing to cover our solutions, please speak with your Account manager at Trustmarque Ultima.

About the Author

Alon Josefsberg is a Cyber Security Pre‑Sales Consultant at Trustmarque, specialising in identity security, operational technology protection, and cloud‑native security architectures. With more than a decade of experience across cybersecurity, IT technology and enterprise consulting, Alon has advised organisations across the UK on strengthening their security posture, reducing identity‑based attack surface, and navigating complex regulatory environments.