Tech Insight: Using AI to fact-check

Here at Cosurica we prefer facts, not speculation, and we’re sure you do too! Given there’s such a lot of spin and speculation about recent cyber attacks on UK retailers and potential for ‘scaremongering’, and as always we’re short on time, we decided to utilise generative AI to do a bit of fact-checking for us.

Being the ‘caring, sharing’ sorts that we are, here’s the output we got from using AI to fact-check one particular article about the cyber attacks on M&S, Harrods and Co-Op. It summarises the points made in the original article and is annotated by ChatGPT to show whether the points made have been verified (factual), or are partially confirmed, speculative or ‘expert opinion’ (so not factual). The complete ‘non-fact-checked’ article is at the bottom of the page for comparison.

What Happened and When?

To help understand how the cyber attack on Marks & Spencer unfolded, here’s a timeline of events:

• 29–31 March: Customers across the UK reported issues with contactless payments and Click & Collect. [Verified: Multiple UK-based customer reports and M&S service status updates corroborate this.]
• Early April: M&S confirmed a “cyber incident” and took internal systems offline. [Verified: M&S public statements confirm a cybersecurity response.]
• 26 April: Online orders suspended; signs of in-store issues emerged. [Verified: Confirmed via news and retail sector briefings.]
• End of April – 2 May: Full scope of disruption became apparent. [Verified: Continuing service disruptions widely reported.]

What Kind of Attack, and by Whom?

• Type: Ransomware attack. [Verified: Confirmed by cybersecurity experts.]
• Group: Likely Scattered Spider (aka Octo Tempest). [Verified: Attributed by analysts based on attack patterns.]
• Tactics: Social engineering, MFA fatigue, SIM-swapping. [Verified: Scattered Spider known for these techniques.]

Gained Access in February?

• Early Access: The group may have entered in February. [Partially Confirmed: This is speculative, though consistent with common ransomware dwell times.]
• Malware Used: Possibly linked to DragonForce. [Speculative: No formal attribution from authorities or malware analysts.]

Was It a Direct Hit or Via a Supplier?

• Entry Point: May have been through a third-party vendor. [Partially Confirmed: Common Scattered Spider method; no direct confirmation from M&S.]

What’s the Damage So Far?

• Financial Loss: £3.8 million/day in online sales halted. [Verified: Estimate aligns with e-commerce revenue figures.]
• Stock Market Impact: Over £500 million wiped from market value. [Verified: Financial reporting confirms this volatility.]
• Operations: Gift cards, job ads, and product availability disrupted. [Verified: All disruptions reported by staff and customers.]

Harrods and Co-op Too

• Harrods: Reported restricted internet access. [Partially Confirmed: Service limitations observed, but Harrods did not confirm a full breach.]
• Co-op: Acknowledged IT disruption and limited data compromise. [Partially Confirmed: Statement confirms incident, though the extent of PII access is not independently verified.]

Why the Food Sector Is Now a National Cyber Target

• Infrastructure Risk: Calls to classify food logistics as critical infrastructure. [Opinion: Echoed by experts like Dr Harjinder Singh Lallie of University of Warwick; not a policy change yet.]

Lessons

• Third-Party Risk: Breaches often result from trusted vendor compromises. [Verified: Supported by incident analysis of Scattered Spider campaigns.]
• Zero Trust: Advocated by cybersecurity specialists as a preventive measure. [Verified: Widely recommended in security frameworks.]

The Motivation for the Attack?

• Scattered Spider Profile: Young, English-speaking, financially motivated. [Verified: Supported by open-source threat intelligence.]

Gives a Playbook to Other Cybercriminals

• Copycat Concerns: Potential for hostile actors to mimic tactics. [Opinion: Expressed by former NCSC head Ciaran Martin; speculative but credible.]

What Does This Mean For Your Business?

• Operational Risk: Cybersecurity is now a supply chain concern. [Verified: M&S disruptions show real-world operational impact.]
• Crisis Preparedness: Importance of training and contingency planning. [Verified: Supported by cybersecurity resilience recommendations.]
• Regulatory Outlook: Potential review of what constitutes critical infrastructure. [Opinion: Under discussion, not formalized.]

---

Overall Assessment: This article is largely accurate with a few speculative claims that are clearly identified. A reliable overview of a major cyber incident affecting UK retail.

[Fact-Checked and Annotated by ChatGPT, May 2025]

Cosurica Analysis – was it worth doing?

ChatGPT 4o saved us hours of research for sure, coming back with its response in just a few seconds, but it’s still important to bear in mind ChatGPT will have cross-checked the info in the article we gave it to analyse against other potentially inaccurate articles and other resources published online (just the same as we would have if we had the time). It could still misinterpret! Just as us humans could!

Generative AIs are reliant on the data they have been trained on in order to be accurate, so if any of the training data was inaccurate, the output may not be 100% accurate. Of course humans are fallible too though!

Hopefully ChatGPT 4o was able to check many more resources than we ever could and should not suffer with confirmation bias that humans have (unless the questions we put to it were biased in some way), so in theory, it should come back with a more accurate analysis than it’s possible for a human to do and in a very short space of time too.

The original article quoted Ciaran Martin, former head of the UK’s NCSC, saying “My national-level worry is that this gives other bad actors a playbook on how to disrupt Britain at scale.” From the article, it appears this is in relation to the M&S attack, and ChatGPT said it was ‘speculative but credible’ so we pressed ChatGPT further and it came back with the following response,

Upon reviewing the available information, there is no public record of Ciaran Martin, former CEO of the UK’s National Cyber Security Centre (NCSC), stating that the M&S cyberattack “gives other bad actors a playbook on how to disrupt Britain at scale.”

However, Martin has commented on the M&S incident, describing it as “a pretty bad episode of ransomware” and “a highly disruptive event and a very difficult one for them to deal with” . He also noted that the recovery period following such a serious attack is not unusual, highlighting the complexities involved in rebuilding affected systems.

While Martin has expressed concerns about the broader implications of cyberattacks on national infrastructure, there is no evidence linking the specific quote in question to his statements about the M&S incident.

In coming back with this clarification, Chat GPT cited a wide range of sources including The Standard, CNA, Sky News, Geo TV, Claims Journal, Yahoo Finance, Lancaster Guardian, VPN Mentor, The Grocery Gazette, Market Screener & The Independent. It’s up to the individual to decide if these sources are credible or not though!

Exercise your critical thinking!

ChatGPT reported the original article is largely accurate with a sprinkle of speculation (and we know the article did come from a known, reliable source which supplies curated content to businesses in the IT support sector), but we all need to be mindful there’s a lot worse out there!

It’s worth taking everything you read in the media with a pinch of salt, because it’s not always clear what each media channel’s agenda is. Fact-checking is increasingly important. Generative AI can certainly be helpful in this and it can you save time.

That said, critical thinking is a skill we all must exercise on a regular basis, so we can spot where fact-checking is necessary, spot possible flaws in AI output and push for the truth!

Here’s the full non-fact-checked article for comparison

How Marks & Spencer Was Brought To A Standstill

In this Tech Insight, we look at how a major ransomware attack on M&S could happen, who was behind it, how it caused such widespread disruption, and what it means for the company, its customers, and the wider UK retail sector.

What Happened and When?

To help understand how the cyber attack on Marks & Spencer unfolded, here’s a timeline of events from early disruption to the continuing impact on customers, stores, and services:

– 29–31 March. Customers across the UK reported issues with contactless payments and Click & Collect services in M&S stores. At the time, the problems appeared to be routine glitches.

– Early April. M&S confirmed it was dealing with a “cyber incident” and took key internal systems offline to contain the disruption.

– Friday 26 April. M&S suspended all online orders via its website and mobile apps as the situation escalated. Some stores began to report empty shelves. Food halls displayed signs blaming “technical issues” for limited product availability.

– End of April. Further disruption affected in-store services. Gift cards could not be used, food store returns were unavailable, and job applications were taken offline. Speculation grew over the cause and scale of the incident.

– By 2 May. Online shopping remained unavailable with no clear restoration timeline. In-store issues continued, and M&S had yet to confirm when normal operations would resume.

What Kind of Attack, and by Whom?

Cybersecurity researchers and law enforcement sources have since confirmed the incident was a ransomware attack, i.e. a form of cybercrime where attackers encrypt a company’s systems and demand a ransom in exchange for a decryption key.

The group thought to be behind the attack are a loose, English-speaking collective known as Scattered Spider (also known in some circles as Octo Tempest). The group of hackers has gained notoriety for previous high-profile hits, including on MGM Resorts and Caesars Entertainment in the US.

Different

It seems, however, that Scattered Spider operates differently from many of the more traditional ransomware gangs linked to Russia or Eastern Europe. For example, their tactics are sophisticated and often rely on “social engineering”, i.e. impersonating staff over the phone or via email, bypassing security by tricking help desks and IT teams into granting access. In some cases, they’ve used phishing, SIM-swapping, or multi-factor authentication fatigue techniques to break in.

Gained Access In February?

In M&S’s case, some reports suggest the attackers may have gained access as early as February, exfiltrating data before deploying the ransomware payload using malware linked to another group known as DragonForce. The malware encrypted access to vital servers, triggering the cascade of outages that followed.

Was It a Direct Hit, Or Through a Supplier?

One mystery that remains unresolved, however, is how the attackers actually gained entry in the first place. While M&S has not disclosed technical details, some industry insiders have suggested the compromise may have originated through a third-party supplier, a growing concern in the age of interconnected cloud platforms and shared vendor infrastructure.

This approach would make sense in terms of it being the same tactic used in previous Scattered Spider campaigns, where attackers exploited weaknesses in identity management systems like Okta or Microsoft Entra, or leveraged supplier access to leapfrog into target systems.

What’s the Damage So Far?

The fallout from the attack has been both operational and financial. Estimates of the damage caused include:

– £3.8 million in daily online sales lost. M&S’s e-commerce arm reportedly takes in nearly £4 million a day, all of which has ground to a halt.

– Over £500 million wiped from its stock market value. Uncertainty over the scale and duration of the attack spooked investors.

– Empty shelves and store disruption. Particularly in food halls, where logistics and supply chain systems were knocked offline.

– Job ads pulled and staff sent home. Over 200 vacancies vanished from the M&S careers page, and some warehouse workers were told not to come in due to low volume.

Beyond the financial hit, the reputational cost could, of course, be much worse. For example, customers expecting digital convenience, seamless returns, and reliable stock levels have been met with error messages and handwritten signs. For a retailer that prides itself on trust and quality, the breach has struck at the heart of the brand.

Harrods and Co-op Too

Worryingly for the retail sector, M&S isn’t alone. For example, within days, Harrods confirmed it too had been targeted by a cyberattack. While the impact appeared more contained (involving restricted internet access across its stores) it marked another breach of a high-profile UK retailer.

Meanwhile, the Co-op has confirmed that it was also the victim of a cyber attack affecting one of its IT systems. Although the company initially said the disruption had been contained by proactively shutting down affected systems, further investigation revealed that attackers were able to access and extract personal data. This is reported to have included names, contact details, and dates of birth linked to a significant number of current and former members.

However, the Co-op has stated that no passwords, payment data, or transaction history was compromised and that its loyalty and payment systems remain secure. That said, clearly the breach prompted a wider response involving the National Cyber Security Centre and the National Crime Agency. Customers have been urged to stay alert for suspicious activity, and the company has apologised while confirming that it is working closely with data protection authorities to manage the incident.

Although there has been no interruption to food supplies or store operations, the breach has exposed how even a relatively contained cyber event can present serious privacy and reputational risks. In a sector that depends so heavily on trust and repeat custom, this kind of incident can have lasting implications.

These incidents appear to follow an alarming pattern, i.e. it looks as though UK retailers are becoming increasingly attractive targets for cybercriminals looking to cause widespread disruption, and score a quick payday.

Why The Food Sector Is Now a National Cyber Target

While banks and energy firms have long been classed as “critical infrastructure”, attacks like the one on M&S have raised fresh questions about whether food supply chains should be treated with similar urgency.

For example, Dr Harjinder Singh Lallie of the University of Warwick has described the incident as a “red flag” for the food industry’s cyber readiness, and has warned that “attacks like these can seriously disrupt access to basic necessities.” The relevance of this point was all too clear as M&S shoppers saw bare shelves and delayed orders first-hand.

Also, cybersecurity experts have called attention to the knock-on effects of this kind of attack, i.e. a single ransomware attack can ripple across supply chains, logistics providers, warehouse networks, and even government services that depend on consistent delivery.

It seems that the interconnectedness of these systems makes them simultaneously efficient and dangerously vulnerable.

Lessons

Cybersecurity specialists have suggested that the attack on M&S highlights how modern hackers are no longer just exploiting technical flaws. For example, they are now increasingly targeting the trust between companies and their suppliers, employees, and service partners. Analysts have, therefore, stressed the need for stronger identity verification, tighter control over third-party access, and better training for frontline staff such as IT helpdesks. Many are also pointing to the importance of adopting “zero trust” models, where access to systems is never assumed and must be continually verified.

The Motivation for the Attack?

In the case of Scattered Spider, experts have noted the group’s unusual profile. For example, unlike many ransomware gangs based in Eastern Europe, this network appears to involve mostly English-speaking members, including individuals believed to be in their late teens. Their motivation appears to be a mix of financial gain with a desire for recognition, making them both capable and difficult to predict.

Gives a Playbook to Other Cybercriminals

It seems that while most experts agree that this was a criminal act rather than a state-sponsored one, some are warning that the response (or lack thereof) could embolden hostile states watching from the sidelines. As Ciaran Martin, former head of the UK’s National Cyber Security Centre, put it: “My national-level worry is that this gives other bad actors a playbook on how to disrupt Britain at scale.”

What Does This Mean For Your Business?

While the immediate concern for M&S remains restoring full operations and reassuring customers, the wider implications of these attacks are hard to ignore. The scale and severity of the disruption (coupled with the prolonged recovery timelines) have highlighted vulnerabilities not only in retail infrastructure but also in the broader digital supply chain that supports it. These were not just one-off disruptions. They were demonstrations of how a well-organised cyber attack can ripple across departments, damage customer trust, and expose operational dependencies that were previously taken for granted.

For UK businesses, particularly those in retail, food supply, and logistics, the M&S and Co-op incidents offer a sharp reminder that cyber risk is now an operational risk. Being online and interconnected brings enormous efficiency, but also opens the door to increasingly sophisticated and persistent threats. The attacks have shown how a breach of one supplier or system can impact everything from stock levels to staff recruitment, and how quickly customer-facing services can grind to a halt.

There are clear lessons here for organisations of all sizes. For example, while investment in technology is essential, so too is investment in people, training, and crisis planning. Basic resilience, i.e. the ability to function when systems go offline, is becoming just as important as innovation. For shareholders, customers and employees alike, the expectation is not perfection but preparedness.

The incidents also raise important questions for regulators and policymakers. If food retail is now so central to daily life that a single ransomware attack can cause national disruption, then its classification as part of the UK’s critical infrastructure may need to be reconsidered. In that context, the M&S and Co-op breaches could act as a turning point and one that prompts a broader shift in how businesses and government work together to anticipate, contain, and recover from this kind of attack.

While M&S works to bring its systems back online and the Co-op continues its investigation, the broader industry is already watching, and hopefully, learning. The hope is that attacks like this don’t become the new normal. If they do, resilience needs to become the new standard.