Jim Love (0:01)

Two big updates on the recent Marks and Spencer hack. A Brazilian bank breach is an inside job and McDonald's HR data was made vulnerable not by artificial intelligence, but by a singular lack of developer intelligence. This is Cybersecurity Today. I'm your host Jim Love. Two big updates on the Marks and Spencer story. Marks and Spencer have provided some additional facts in testimony before a parliamentary investigation which sheds some light on the attack that took out the retail giant in the UK and spread from the UK to North America as well. Secondly, it appears that police have made some arrests. The BBC is reporting that four people have been arrested by police in the National Crime Agency investigation of the attacks on Marks and Spencers and the other retailer Co op in the UK. A 20 year old woman and three males aged 17 and 19 were detained in the London and West Midlands areas in UK. The 19 year old is from Latvia and the 17 year old and the woman arrested are both from the uk. The police arrested them at their homes in quiet suburban areas and seized their equipment as well. Paul Foster, head of the nca, said it was a significant step in the investigation, but they are continuing to work with partners in the UK and overseas, indicating there may be more to come and that would be very good news indeed. Marks and Spencer and Co Op were just the start of a wave of similar attacks that have spread from the UK into North America. And meanwhile, Marks and Spencer released more information about how the cyber criminals infiltrated their network back in April and their carefully worded testimony suggests they may have quietly paid the ransom. Marks and Spencer chairman Archie Norman revealed to Parliament this week that the breach began with social engineering, which he described as sophisticated impersonation. Threat actors posed as one of the company's employees to trick a third party help desk into resetting a password. That third party was reportedly IT outsourcing giant Tata Consulting Services, which handles Marks and Spencer's technical support. Norman went out of his way to say this wasn't just a simple phishing email, it was a sophisticated attack, he said. They appeared as somebody with their details and the attackers had done their homework on Marks and Spencer's internal systems and personnel. The attack was initially attributed to the Dragon Force ransomware operation believed to be operating from Asia, ultimately forcing Marks and Spencer to shut down all their systems. Sources told Bleeping computer that approximately 150 gigabytes of data was stolen and numerous VMWARE ESXI servers were encrypted. Dragon Force typically employs these double extortion tactics, stealing data and threatening to publish it unless ransoms are paid. But months later, Dragon Force has not made an entry on their data leak site for Marks and Spencer, which seems to indicate that Marks and Spencer paid the ransom. But on that point, Norman was a little evasive. When Parliament pressed him about ransom payments, his response was revealing. He said that Marks and Spencers took a hands off approach, leaving negotiation to professionals who have experience in the matter, likely referring to specialized ransomware negotiation firms. When directly asked if they paid, Norman again deflected, saying they weren't discussing details publicly, but they had shared everything with authorities. We'll have more on this story on our Weekend Edition, where our panel will feature an expert on ransomware groups and some insights into the worldwide network called Scattered Spider that may be a part of this attack as well. Brazil's financial sector is still reeling from a devastating cyber attack that demonstrates how a single employee can trigger a massive security breach and in this case lead to the theft of over 140 million from the country's central banking system. C and M software, which provides the critical bridge services connecting Brazil's central bank to local institutions, revealed on June 30 that hackers had stolen 800 Brazilian reals, approximately $140 million from the reserve accounts of six financial institutions. The attack was so severe that Brazil's central bank immediately suspended access to the CNM's software platform for all local banks while investigating the breach. But the real shock came when police arrested the person who who made it possible. A 48 year old IT worker who worked on backend systems at CNM Software allegedly sold login credentials to hackers for approximately $2,700, granting them unauthorized access to the critical financial systems. The payout was a tiny fraction of what the criminals ultimately stole, and according to police, Rock's story reads like a low budget thriller. He claims cybercriminals first approached him in March as he was leaving a Sao Paulo bar and then later receiving instructions via WhatsApp and payments through motorcycle couriers. He reportedly changed his mobile phone every 15 days in a futile attempt to avoid being tracked. We say futile because police identified him and arrested them. Now the good news. The stolen money came from reserve accounts used by financial institutions to exchange funds between themselves rather than customer accounts, meaning the public isn't directly impacted. Brazilian authorities have since frozen $50 million linked to the incident, but the case highlights a critical vulnerability in financial infrastructure. The insider Threat no matter how sophisticated your external security, a single employee with access to sensitive systems can potentially compromise everything for financial institutions worldwide. This incident underscores the need for stronger internal controls and monitoring of privileged access. McDonald's, the fast food giant's embrace of AI screening has backfired spectacularly, with hackers accessing years of job applicant data through security flaws so basic they're almost embarrassing. We'll be clear on this story. The use of AI is not the problem. It's not artificial intelligence that's at issue, but, dare we say, a lack of intelligence from the creators of this app. We try to be charitable. Anybody can make a mistake. But 12345 as an admin password who's the security administrator on this system? The clown. McDonald's uses an AI chatbot called Olivier to screen job applicants through its McHire platform, and that platform was built by AI firm Paradox. AI. Olivia handles everything from collecting contact information to directing personality tests. But until last week, the system had a problem. Virtually anybody could hack into it. Security researchers Ian Carroll and Sam Curry discovered they could access the back end of McDonald's hiring platform using tricks as simple as guessing the administrator passwords. We'd love to say that Sam and Ian had some great technical ability or practiced some sophisticated social engineering, or that they were the Hamburglars of security, but the truth is the passwords were insanely easy to guess. The worst example? Reportedly an admin account was secured with the password 123456, a combination so weak that it ranks among the world's most commonly used stupid passwords. The breach exposed what appears to be 64 million records containing applicants names, email addresses and phone numbers from years of McDonald's job applications. Carol said he stumbled onto this gold mine of personal data within just 30 minutes of starting his investigation, carol explained. I just thought it was pretty uniquely dystopian compared to a normal hiring process. So I started applying for a job and then after 30 minutes we had full access to virtually every application that's ever been made to McDonald's, going back years. Now the vulnerability highlights a growing concern as companies rush to deploy AI systems without proper security security oversight. Paradox AI has since acknowledged the breach and claims the weak password account was not accessed by any third party other than the researchers who discovered it. McDonald's tried to quickly distance themselves from responsibility, calling the vulnerability unacceptable and blaming their third party vendor. The company said the issue was resolved the same day it was reported. For job seekers, this incident serves as a stark reminder that even routine activities like applying for work can expose personal information if companies prioritize innovation over security fundamentals. And for companies, it's a warning that just because a company seems to know a lot about AI or has a URL that ends in AI. Don't assume that they have what it takes to properly implement and secure a system. And McDonald's might have been able to hold the vendor responsible, but as all security professionals know, you cannot delegate accountability. And that's our show. Stay tuned this weekend for a month in review and some in depth discussions about some of the big security issues and stories from this month. Catch it on Saturday morning or whenever you listen to long form podcasts. I'm your host, Jim Love. Thanks for listening.