Skip to main content
Marsh logo

Resource centre

UK Cyber incidents linked to Scattered Spider

Multiple retailers have been hit by separate cyber incidents in the last week in a highly targeted, sophisticated campaign. It is believed that the threat group known as Scattered Spider is behind this campaign.

What should you do if you suspect a compromise?

  • Activate your incident response and/or crisis management plans, and stand up your incident response team.
  • Shift to out of band communication platforms, such as CYGNVS.
    Call the CYGNVS hotline to create your secure incident room and invite relevant internal and external stakeholders to join.
  • Notify Marsh Cyber Incident Management team via our dedicated 24/7 CYGNVS hotline.
    Notify cyber insurers promptly.
  • Seek expert support and do not engage with the threat actor.

If you think your business has been affected, we urge you to reach out to your Marsh contact or one of our cyber specialists as soon as possible.

Dedicated CYGNVS 24/7 hotline

Call us Email us

Steps to protect your organisation now

Review your logs and investigate any recent false positives. Strengthen your environment against the published Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with Scattered Spider.

Alert your IT service desk to investigate suspicious passwords and/or MFA resets over the last few months.

Review your MFA policy and remove the ability for individuals to authenticate with a phone number.

Refresh employee training on phishing, social engineering and deepfake threats. Emphasise the importance of verifying requests for sensitive information.

Establish verification protocols for requests for information and resetting credentials, requiring secondary confirmation via a different communication channel.

Train helpdesk staff to recognise signs of social engineering attempts and implement strict verification processes for sensitive requests.

selected option

View the slides from our recent webinar, UK Retailers: Protecting Against Cyber Threats

View the slides

Here are the ways we can help if you have been or suspect you have been impacted.

Event management

  • Engaging technical assistance for your organisation, to help investigate any suspected compromise and to work on containment.
  • Supporting crisis management and communications, and bringing in any other expert assistance required.

Insurance coverage/recovery

  • Submitting a notice of circumstance or claim against your cyber insurance and supporting your organisation in obtaining the maximum reimbursement under your policy.

Employee awareness training

  • We can provide in-depth training courses for your employees on how to identify the social engineering tactics used by threat actors.

We will continue to monitor the situation and will keep you apprised of further developments.

Further guidance

Contacts

Helen Nuttall

Helen Nuttall

Head of Cyber Incident Management

  • United Kingdom

Holly Waszak

Holly Waszak

Head of Cyber Claims, Cyber Risk

  • United Kingdom

Placeholder Image

Kelly Butler

Cyber Practice Leader, Marsh Specialty

  • United Kingdom

Serena France-Hayhurst

Serena France-Hayhurst

UK Cyber Placement Leader, Cyber Risk

  • United Kingdom

Kelvyn Sampson

Kelvyn Sampson

Marsh UK Industries - Retail, Food & Beverage, and Leisure Industries Leader

  • United Kingdom