The Retail Sector Isn’t Ready for the Next Scattered Spider Attack, But it Could Be

The ransomware group known as Scattered Spider (UNC3944 / Octo Tempest) has already made headlines this year, with its disruptive attacks on high-profile retailers and critical service providers. The tactics weren't novel in a technical sense, but they were ruthlessly effective: social engineering, SIM swapping, multifactor authentication resets, and the exploitation of remote access tools to quickly and quietly move through networks before launching data encryption and exfiltration campaigns.

Weeks have passed since the initial incidents, but the threat hasn’t faded. Scattered Spider is still active, evolving, and remains a focus of national cybersecurity advisories.

The fallout of recent attacks on the retail sector was devastating, however, what’s most concerning is how little has changed since.

More of the Same

Despite the scale of impact — millions lost, weeks of downtime, reputational damage — many organizations are responding with more of the same: tightening access controls, conducting phishing training, and updating detection rules.

These steps are important, but they miss the fundamental lesson: the real failure wasn’t at the perimeter, it was in assuming that identity and access controls were enough to protect the data.

In each case, attackers didn’t “hack in.” They impersonated employees, tricked help desks, and used valid credentials. Once inside, they moved freely, accessing critical data stores, extracting sensitive information, and encrypting systems to extort payment. The perimeter held. The credentials worked. And still, the data was lost.

This is the approach that needs addressing. And yet, it's often overlooked in post-incident analysis.

Something Has Got to Give

It’s time for the industry to confront a difficult truth: most security strategies are still designed to protect systems, not the data those systems manage. As long as that remains true, ransomware will remain profitable.

A more resilient approach is to treat data as an asset and protect it directly, regardless of who accesses it, from where, or via what tool. This strategy, data protection and risk mitigation (DPRM), shifts away from trust-based access and toward persistent, policy-enforced encryption and segmentation at the data layer.

Had this approach been in place during recent retail attacks, the outcomes could have been materially different.

Why a New Approach to Cybersecurity is Needed

Consider the high-profile incident at Marks & Spencer earlier this year. Attackers reportedly gained access through a third-party supplier, leading to over £300 million in losses and a seven-week operational freeze, including contactless payment failures and logistics gridlock. Even if the initial compromise had still occurred, data-centric protection could have rendered exfiltrated customer, inventory and financial records unreadable, disabling both extortion and reputational harm.

The co-op managed to contain the impact through strong network segmentation, temporarily reverting to paper-based processes. It’s a credit to its detection and incident response teams. But segmentation alone doesn’t stop data leakage. Had critical datasets been persistently protected at the file level, even a partial breach would have yielded no usable information.

When ransomware groups no longer gain value from stolen data, their model collapses. Recovery becomes faster, the financial hit is reduced, and any reputational impact is minimized. Importantly, executive and regulatory liability is dramatically lowered.

And make no mistake, those liabilities are growing. Under regimes like GDPR, DORA, NIS2, failure to protect personal or operational data is a legal implication. Executives and boards are expected to ensure data protection by design, not merely compliance by checkbox.

What’s needed now is a mindset shift from securing access to securing value.

That means reducing reliance on reactive perimeter tools and investing in architectures that assume compromise and neutralize its impact. It means understanding that ransomware only works when attackers can extract data or disrupt operations in ways that cause real financial damage. When the data is indecipherable and the backups are untampered, the pressure evaporates.

Cyber Attackers Are Watching … and Waiting

The cybercriminals behind Scattered Spider haven’t gone away. If anything, they’ve become more efficient. They're watching how the industry responds and they're betting it won’t change fast enough.

They might be right. But it doesn’t have to be this way.

The next breach is already in motion. Whether it's Scattered Spider or another group using similar tactics, the methods are now known. The question is whether organizations will continue to reinforce the same outdated strategies or adopt a posture that makes the data itself inaccessible, unusable, and unprofitable to attack. Because ransomware only works if the data is vulnerable. And right now, far too much of it still is.

Simon Pamplin is chief technology officer of Certes, advanced cybersecurity and data protection solutions.