Cyber Incident Victim: The Works
Date:
Apr 2022
Location:
United Kingdom
Summary
A UK retailer experienced a cyberattack involving unauthorized access to its systems, forcing temporary closures of multiple stores due to till disruptions and halting stock deliveries while prolonging online order fulfillment. The company disabled all internal and external IT access, engaged cybersecurity forensics experts, and migrated payment processing to accredited third-party providers to secure transactions, confirming no compromise of customer payment data. Initial investigations suggest potential exposure of personal information remains possible, prompting notification to the data protection authority. Operational impacts included email disruptions and delayed services, but the incident is not expected to materially affect financial forecasts or long-term stability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Works, a UK-based discount retailer operating 526 stores across the United Kingdom and Ireland, experienced a cyberattack discovered in late March 2022 that disrupted critical business operations. Unauthorized actors gained access to the company's computer systems, causing till malfunctions that forced the temporary closure of five physical stores starting the week of March 28. The attack interrupted replenishment deliveries to stores and delayed fulfillment for online orders, though the company maintained both physical and digital sales channels with reduced functionality. Immediate containment measures included disabling all internal and external access to IT systems, including corporate email communications, which were rerouted to external providers. The retailer engaged third-party cybersecurity forensic experts to investigate the breach's scope and assist with recovery efforts. Payment processing systems were particularly affected, prompting The Works to transition all credit and debit card transactions to new third-party processors accredited under Payment Card Industry standards. Company statements emphasized these payment systems operated externally from compromised infrastructure, asserting no evidence indicated theft of customer financial data during the incident's initial forensic review.
Despite securing payment processing, The Works acknowledged potential compromise of non-financial customer personal information, leading to mandatory reporting to the UK Information Commissioner's Office by April 1, 2022. The attack was characterized in media reports as ransomware-related, though no ransom demands or encryption tactics were publicly confirmed by the organization. Business continuity measures prioritized restoring store deliveries, described as imminent in April 6 statements, while online order fulfillment systems underwent gradual reactivation to ensure stability. External cybersecurity analysts speculated the intrusion vector involved malicious email targeting employees, with potential deployment of wiper malware designed to destroy system functionality rather than extract data. The company projected confidence in financial resilience, stating the incident would not materially impact annual revenue forecasts or sales performance across its art supplies, books, and toy product lines. Operational disruptions remained localized, with all but five locations maintaining cash transactions and the majority of supply chain functions resuming within two weeks of initial detection.