Investigation mounted into Spar supermarket cyber attack

The UK’s National Cyber Security Centre (NCSC) is investigating a security incident that has caused disruption at about 300 Spar stores in the north of England in a cyber attack that bears the hallmarks of a supply chain ransomware hit.

Based in the Netherlands, Spar operates a franchise model with more than 13,000 individual stores globally. It is some of these franchises that have been attacked by threat actors as yet unknown.

Among the victims is Lawrence Hunt & Co, which operates 25 stores in Lancashire. The firm described a “total IT outage affecting all our stores” which forced them to remain closed on Sunday 5 December. The franchisee later confirmed an outage “affecting tills, credit cards and back-office systems”.

Many other Spar operators have been posting further updates. Hull University Students’ Union spoke of a “security breach on the network system” that had forced it to shut its campus branch, while another store in Ribchester, Preston informed customers of a “major and widespread IT failure”.

As of Monday 6 December, many branches were open, but were operating as cash-only businesses. Computer Weekly understands that incident responders were aiming to try to bring stores back online on Monday evening, but as of the morning of Tuesday 7 December, this work had been put back and many stores remained shut.

The attack appears to have originated from within the systems of Preston-based wholesaler and food distributor James Hall & Co, which supplies about 600 Spars across the region.

The firm’s website remained inoperable at the time of writing, but in a statement circulated on social media, a spokesperson said: “James Hall & Company are currently aware of an online attack on its IT system. This has not affected all Spar stores across the north of England, but a number have been impacted over the past 24 hours and we are working to resolve this situation as quickly as possible.

“It is currently impacting stores’ ability to process card payments, meaning that a number of Spar stores are currently closed to shoppers or only taking cash payments.

“We apologise for the inconvenience this is causing our customers and we are working as quickly as possible to resolve the situation.”

Toby Lewis, global head of threat analysis at Darktrace, said the attack offered more proof – if it were needed – that organisations exist in a complex web of dependencies and are only ever as secure as their suppliers. “While people, services and technology can be outsourced, risk cannot,” he said.

“Reports of a major IT outage, including the website, payment processing and distribution logistics, indicate that this was likely to be ransomware – for which there is no quick recovery fix. If paid, the price of a ransom is typically a fraction of the total cost of the incident – and full recovery often takes months.”

Brooks Wallace, EMEA vice-president at Deep Instinct, said the timing of the cyber attack suggested it was carried out by threat actors motivated to extract the biggest possible concessions from their target.

“The Christmas period is usually the busiest time for most businesses, none more so than supermarkets,” said Wallace. “With the demand that supermarkets experience over the holiday season, if they are hit by a ransomware attack, they are naturally desperate to recover as quickly as possible.

“It is, therefore, a big red target for many threat actors who know that any ransom demand could be paid almost immediately.”