This week:
3 – M&S attack started when a supplier’s employee was tricked.
2 – The best phishing emails look like they came from IT or HR
1 – Your Facebook data will be used to train Meta’s AI models, unless you do this right now.
3 – M&S attack started when a supplier’s employee was tricked
“Unable to get into our systems by breaking through our digital defences, the attackers did try another route resorting to social engineering and entering through a third party rather than a system weakness.”
Source: Reuters
What’s the story?
Marks & Spencer (M&S) has disclosed that hackers breached its systems by exploiting a third-party contractor through social engineering tactics, bypassing the retailer’s direct digital defences.
As a result, despite tripling its tech investment over the last 3 years, M&S faces significant operational disruptions, with online services not expected to be fully restored until July.
The breach has led to an estimated GBP £300 million loss in operating profit.
So what?
The CEO talks about M&S’s “digital defences“.
A critical component of any organisation’s digital defences are the defences of its suppliers.
Vendor management; Third party risk management; Supply chain risk management:
Call it what you will.
Just make sure you do it.
2 – The best phishing emails look like they came from IT or HR
“Phishing emails that appear to be internal and come from the IT or HR department are the emails that trick the most users [..] almost 50% specifically mentioned HR.”
Source: CSO Online
What’s the story?
According to this story on CSO Online and based on a recent KnowBe4 report, phishing emails impersonating internal departments like IT and HR are particularly effective at fooling humans into clicking links or opening attachments.
Subject lines such as “Zoom clips” from managers, HR training updates, and email server warnings also appear to lead to higher click-through rates.
So what?
Many organisations add a warning to the top of any email that has come from the outside world.
And now you know why.
It’s a simple measure to reduce the likelihood of you being fooled into thinking an attacker’s email has come from a trusted colleague or internal team.
1 – Your Facebook & Instagram data will be used to train Meta’s AI, unless you object. Right now.
“Meta has implemented a number of significant measures and improvements, including updated transparency notices to users, an easier-to-use Objection Form, and enhanced data protection safeguards.”
Source: Data Protection Commission
What’s the story?
The Irish Data Protection Commission (DPC) has been engaging with Meta over its plans to train large language models using public content from Facebook and Instagram users in the EU/EEA. After raising concerns, the DPC prompted Meta to pause its training in June 2024.
Following a European Data Protection Board opinion, Meta revised its approach, implementing measures like improved user notifications, an accessible Objection Form, and enhanced data protection safeguards.
As a result, Facebook has been told it can start feeding EU data into the AI models from Tuesday, May 27th, 2025.
So what?
You already know that anything you publish publicly on Facebook or Instagram is publicly available. For non-EU / EEA users, this also meant it was available to be fed into Meta’s AI models.
However, for EU / EEA users, the pesky GDPR regulation got in the way.
Until now.
From Tuesday, Meta’s AI algorithms will be allowed to feast on the data of Europeans too.
If you don’t like this news, you need to object.
The DPC may think that the Objection Forms are easier to use, but they aren’t particularly easy to find.
Within the Facebook and Instagram apps, go to your Profile, then look for Settings and Activity, and then Privacy Center. Then look for ‘AI at Meta‘.
(PS If you aren’t a UK or EU / EEA user, you won’t see this option because your objections don’t matter.)