HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Social Engineering Attacks Exploit Service Desks at Major Retailers and Travel Companies

Attackers are repeatedly convincing service‑desk agents to reset passwords or grant remote sessions, as seen in the 2025 Scattered Spider campaign against UK retailers and a 2026 incident at Carnival. The pattern highlights a compliance gap in SOC 2 access‑control procedures and underscores the need for robust security‑awareness training.

LiveThreat™ Intelligence · 📅 June 24, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Social Engineering Attacks Exploit Service Desks at Major Retailers and Travel Companies

What Happened — Attackers impersonating employees or IT support have repeatedly convinced service‑desk agents to reset passwords or grant remote‑access sessions. High‑profile incidents include the 2025 Scattered Spider campaign against UK retailers Marks & Spencer, Co‑op and Harrods, and a 2026 breach at Carnival Corporation. The FBI also warned that the Silent Ransom Group is using the same “help‑desk” ploy to gain footholds.

Why It Matters for Compliance & Audit Readiness

  • SOC 2 CC6.1 (Logical Access) and CC6.2 (User Access Management) require documented, enforceable processes for credential provisioning and MFA bypass prevention; service‑desk impersonation directly subverts those controls.
  • Continuous‑compliance programs must capture evidence that access‑reset requests are verified, logged, and reviewed—exactly the evidence Verisq’s Security Awareness Training capability helps generate and retain.
  • A defensible audit trail of service‑desk interactions demonstrates due‑diligence to regulators and customers, reducing the risk of non‑compliance findings.

Who Is Affected — Retail (e.g., Marks & Spencer, Co‑op, Harrods), travel & hospitality (Carnival Corporation), and any organization that outsources or centralizes help‑desk functions.

Recommended Actions

  • Map service‑desk password‑reset and remote‑access procedures to SOC 2 CC6.1/CC6.2 controls.
  • Deploy multi‑factor authentication for all privileged reset actions and enforce a “dual‑approval” workflow.
  • Conduct targeted security‑awareness training for help‑desk staff focused on impersonation detection and verification scripts.
  • Enable continuous logging and automated alerting on anomalous reset activity for audit evidence.

Technical Notes

  • Attack vector: social engineering (phone, chat, email) → credential reset or remote‑access session.
  • No specific CVE; the weakness is procedural rather than software‑based.
  • Data exposed: typically internal system credentials, potentially leading to downstream data exfiltration.

Source: BleepingComputer – Securing the service desk: Why social engineering attacks keep succeeding

📰 Original Source
https://www.bleepingcomputer.com/news/security/securing-the-service-desk-why-social-engineering-attacks-keep-succeeding/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Awareness is a control you can evidence too.

Verisq AI Trust Operations records training completion and policy adoption as audit evidence — turning 'we train our staff' into something you can actually prove.

See how Verisq AI Trust Operations covers awareness →