Scattered Spider: What these breaches reveal about crisis leadership under pressure

Scattered Spider has been active since 2022. They’re known for bypassing controls with persistence and understanding internal processes, and their breaches have affected many high-profile organizations, including M&S, Co-op, MGM Resorts, and Caesars.

In several of these cases, the breach didn’t begin with a direct attack on the organization itself;  it began with a third-party supplier. In others, it started with a helpdesk process that could be manipulated by someone who knew what to ask for.

These incidents reveal a clear pattern: once access is gained, service disruption often follows. And it doesn’t just affect IT systems; it undermines customer trust, regulatory confidence, and internal cohesion.

It’s also worth noting that this isn’t a single attacker operating in isolation.

Scattered Spider functions more like a franchise that is distributed, multilingual, and coordinated across geographies. Their operations span time zones and industries, often with internal role separation between social engineers, access brokers, and ransomware affiliates. This level of coordination allows them to maintain persistence, switch tactics quickly, and target organizations through complex, multi-party ecosystems.

The result is a prolonged, high-pressure situation in which technical teams are working to restore systems while leadership is managing public scrutiny, operational gaps, and a shifting legal landscape.

‍

The leadership challenge
‍

When a breach of this nature occurs, the crisis is rarely confined to a single moment. The technical event might take hours or days, but the consequences unfold over weeks or even months.

This is when the hardest decisions emerge, and they demand coordination under pressure:

• How transparent can you be if a third-party was the source?
• How do you maintain service continuity when recovery is inconsistent across regions or functions?
• What message do you give customers when the facts are still changing?

Inside the crisis response room, priorities often compete. Legal wants to limit exposure. The Communications team needs to reassure the public. Operations are focused on recovery, and the executive team is trying to keep the business stable while balancing all of it in real time.

This is where many crisis plans start to unravel because they weren’t designed to flex around ambiguity, conflict, and prolonged uncertainty.
‍

If you’re not testing the real risks, you’re not prepared
‍

Most organizations have incident and crisis response plans. Some run tabletop exercises. But few go deep enough to test how the organization actually functions when the crisis drags into its second or third week, when internal alignment frays, customer pressure builds, and recovery is uneven.

If your role includes crisis preparedness, these are the questions worth exploring now:

• Have you planned for a scenario where your core systems are offline for three weeks? Not just the recovery steps, but how to continue operating, to support teams, to explain delays, to lead.
• Are your helpdesk teams prepared to escalate unusual behaviour? Not through eLearning modules, but with scenario-based training that reflects real-world attacker tactics.
• Do your crisis exercises include a third-party breach as the trigger event? If they don’t, you’re missing the most common breach vector seen in recent incidents.
• Can you manage recovery that unfolds unevenly across functions or regions? 
• Is your comms team prepared to manage scrutiny that returns months later? Legal action, regulatory findings, or investigative journalism often extend the crisis's lifecycle well beyond the technical resolution.

This is where organizations need to shift from reactive to resilient. It’s no longer enough to rely on policies and plans. You need to prove and improve your cyber readiness in live conditions so you can lead through uncertainty, not just respond to it.
‍

Lessons from M&S and Co-op
‍

This year, M&S and Co-op were thrust into the spotlight following breaches linked to Scattered Spider. In both cases, the attackers didn’t exploit technical weaknesses within the organizations themselves; they exploited trusted relationships. Third-party suppliers, helpdesk processes, and the natural human instinct to help were all part of the attack path.

M&S faced a 15-week disruption to key services like click-and-collect, with the breach traced back to a supplier compromise.

Co-op had over 6.5 million member records accessed, after helpdesk-based social engineering allowed attackers to escalate privileges.

Here’s what stood out:

• Both organizations communicated early and showed visible effort. In the early phase, each acknowledged the service impact and focused on immediate actions being taken. That visible movement is critical, even when all the facts aren’t yet clear; it signals urgency and responsibility.
• The complexity came as facts evolved. For Co-op, early reassurance about customer data had to be revised when threat actor disclosures emerged. For M&S, a prolonged outage created mounting operational and reputational strain, even with a strong internal response underway.
• Both were accountable without being the origin. That’s one of the toughest dynamics in crisis leadership. When the root cause lies outside your organization, your visibility is limited, but public and regulatory accountability is not.

These are not failures. They’re real-world case studies of how crises unfold in complex ecosystems, and what it takes to manage through them.

And if you’re on the other side of that trust equation as a critical third-party provider, the lessons are just as important.

Suppliers now operate at the front line of risk, even if they’re not always recognized as such. If you provide managed services, helpdesk support, cloud platforms, payment processing, or any critical function for another organization, your exposure is no longer just contractual, but reputational and operational.

Key questions for suppliers:

• Do your internal teams (especially customer-facing support) understand how social engineering tactics evolve?
• Have you rehearsed how to handle a security incident that affects your downstream clients?
• Are you prepared to share facts quickly and responsibly under joint scrutiny from your customers, their regulators, and the public?
  ‍

What leaders should prioritize now
‍

If there’s one shift worth making before the next crisis, it’s broadening the definition of readiness. That means moving beyond a purely technical view of risk and focusing on how the business will actually respond under pressure.

Start by briefing your executive team on three realities:

1. The next breach may come through a supplier, but the reputation hit will be yours.
2. Operational continuity matters more than system restoration during the first weeks.
3. Your helpdesk, not your perimeter, may be the most vulnerable link in your chain.

From there, focus on exercising the moments that expose friction: conflicting advice, ambiguous facts, public pressure, and legal oversight. Because those are the moments that define how a crisis feels to customers, regulators, and employees.

This is what it means to be ready, not just to detect an incident but to lead through it.
‍

Final thought: this is the pressure test
‍

Scattered Spider and groups like it are showing us what modern crises really look like. They start with misplaced, misused, or manipulated trust, and by the time the breach is known, the organization is already in motion, responding, recovering, and managing reputational risk all at once.

Readiness today isn’t defined by how quickly you patch a system or activate a runbook. It’s defined by how well you:

• Spot slow-moving breaches
• Coordinate across functions
• Communicate when facts are incomplete
• Operate under partial failure
• And hold trust when the entry point wasn’t even yours

That’s the test.
‍

Explore more
‍

Whether you’re in cyber, crisis management, or operational leadership, to learn more about the tactics and tools behind Scattered Spider, visit our latest lab content and exercises:

Lab – Scattered Spider and Dragonforce: Campaign Analysis

Lab – Threat Actors: Scattered Spider

Workforce Scenario – Social Engineering Techniques 

Crisis Sim – Responding to a Scattered Spider Attack

These resources are designed to help your teams be ready, not just to understand the threat, but to prove and improve how you’ll respond when it matters most.

‍