M&S confirms customer data stolen in cyberattack, losses mount

Marks & Spencer has confirmed that personal customer data—including phone numbers, home addresses, dates of birth, and online order history—was stolen in the recent cyberattack. While no payment data or passwords were compromised, the retailer is prompting all website users to reset their passwords as a precaution.

The breach, which hit three weeks ago, continues to disrupt services. Online orders remain suspended, costing the company an estimated £43 million in lost sales each week, according to Bank of America analysts.

Chief executive Stuart Machin said the company is contacting affected customers and cooperating with cyber security experts and authorities. Although there’s no evidence the data has been shared, there is concern it could still be used in extortion attempts or identity fraud.

M&S, which had 9.4 million active online customers last year, is working urgently to restore normal service. The Co-op, also affected by a similar attack, plans to resume services this week.

Microsoft fixes 72 flaws in May patch Tuesday— Five exploited Zero-Days included

Microsoft’s May 2025 Patch Tuesday addressed 72 vulnerabilities, including five actively exploited zero-day flaws and two publicly disclosed ones. The update includes six critical vulnerabilities, mostly remote code execution bugs.

Of particular concern are five zero-days, such as CVE-2025-30400 and CVE-2025-32701, both allowing local privilege escalation to SYSTEM. Others include CVE-2025-32706 and CVE-2025-32709, also targeting privilege elevation, and CVE-2025-30397, a remote code execution flaw in the Scripting Engine affecting Edge and Internet Explorer.

Publicly disclosed zero-days include CVE-2025-26685, a spoofing bug in Microsoft Defender for Identity, and CVE-2025-32702, a remote code execution flaw in Visual Studio. Microsoft attributes several discoveries to its Threat Intelligence Center and external researchers like Google TAG and CrowdStrike.

In addition to Microsoft, Apple, Cisco, Fortinet, Google, Intel, and SAP also released major updates this month. Organisations are urged to patch immediately to avoid potential exploitation. A complete list of CVEs is available on Microsoft’s update guide.

Nucor cyberattack halts steel production across multiple sites

Nucor Corporation, the largest steel producer in the U.S., has disclosed a cybersecurity incident that forced parts of its IT systems offline and temporarily disrupted production at multiple sites. The breach, revealed in an 8-K filing to the U.S. Securities and Exchange Commission (SEC), involved unauthorised access by a third party.

Upon detection, Nucor activated its incident response plan, taking affected systems offline and initiating containment and recovery efforts. The company has notified law enforcement and enlisted external cybersecurity experts to support the ongoing investigation.

Nucor, a critical supplier of steel and scrap recycling in North America, employs over 32,000 people and reported $7.83 billion in Q1 2025 revenue. The extent of the damage is still unclear, with some operations now gradually resuming.

No ransomware group has claimed responsibility, and it’s unknown whether data was stolen or encrypted. Investigations are ongoing as operations cautiously return to normal.

Scattered Spider ramps up retail attacks in US after UK campaign

Google has issued a warning that threat actors known as Scattered Spider (UNC3944) are expanding their ransomware operations from the UK to the US retail sector. The group, notorious for social engineering tactics like SIM swapping and MFA fatigue, was behind recent attacks on UK retailers Marks & Spencer, Co-op, and Harrods, where DragonForce ransomware was deployed.

Google's John Hultquist says Scattered Spider tends to target specific industries in waves, and US retailers should prepare accordingly. DragonForce, which surfaced in late 2023, has also begun offering its services to other cybercrime groups.

The UK’s National Cyber Security Centre (NCSC) is still investigating whether the incidents are part of a coordinated campaign. Despite lacking formal attribution, security experts urge businesses to stay alert.

Known for high-profile breaches of MGM Resorts, Twilio, and Coinbase, Scattered Spider actors are often young English speakers operating in loosely connected networks.

EU launches new cyber vulnerability database to boost regional security

Cybersecurity experts have welcomed the European Union's launch of the European Vulnerability Database (EUVD), a new centralised platform created by ENISA to provide reliable and actionable information on cybersecurity vulnerabilities. Designed to complement global initiatives like MITRE’s CVE system, the EUVD aims to improve situational awareness and reduce Europe's dependency on non-EU sources.

Mandated under the NIS2 Directive and developed in collaboration with the MITRE CVE programme, the EUVD includes details on exploitation status, mitigation measures, and threat intelligence relevant to European infrastructure. It features dashboards for critical, exploited, and EU-coordinated vulnerabilities.

The database’s release follows recent concerns over the potential shutdown of MITRE’s CVE due to funding issues. Experts say the EUVD offers resilience, backup, and greater localisation, especially in the wake of growing reliance on US-based systems. With contributions from CSIRTs and vendor advisories, the EUVD represents a major step in strengthening Europe’s cyber defence posture.

Pearson confirms major cyberattack exposing customer and corporate data

UK education giant Pearson has confirmed it was the target of a major cyberattack in January 2025 that led to the theft of customer data and internal corporate information. The breach reportedly originated from an exposed GitLab token found in a public .git/config file, granting attackers access to Pearson’s development environment and internal source code.

The attackers escalated access using hard-coded credentials, reaching Pearson’s cloud services, including AWS, Google Cloud, Snowflake, and Salesforce CRM. Terabytes of data were allegedly exfiltrated over several months, including financial records, support tickets, and customer data.

Pearson called the stolen information “largely legacy data,” though it has not clarified whether affected users will be notified or if a ransom demand was involved. The company has since engaged forensic experts, enhanced security measures, and involved authorities.

The attack follows a similar breach at Pearson subsidiary PDRI and underscores the rising threat of exposed Git credentials in cloud environments.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.