Two stories landed between Thursday 26 and Friday 27 June 2026. The FBI's public advisory says the cybercrime crew tracked as Scattered Spider has pivoted to airlines, with Mandiant and Palo Alto Unit 42 advisories following the same week, after WestJet, Hawaiian Airlines and Qantas have all confirmed intrusions in the past three weeks. The New York Times and TechCrunch report Russian-speaking criminal hackers behind the 31 August 2025 Jaguar Land Rover attack that cost the UK economy an estimated 1.9 billion pounds. Both share the help-desk social-engineering vector that took down M and S, Co-op and Harrods in spring 2025. Three jobs fit the fifteen days before the Cyber Security and Resilience Bill's Lords second reading on Tuesday 14 July 2026.
Key takeaways
- The FBI's public advisory on Friday 27 June 2026, joined by Mandiant and Palo Alto Networks' Unit 42 advisories the same week, confirms that the cybercrime crew tracked as Scattered Spider has pivoted to the airline sector after Marks and Spencer, Co-op and Harrods in spring 2025. Canada's WestJet, Hawaiian Airlines and Australia's flag carrier Qantas have all confirmed intrusions in the past three weeks, with Mandiant's CTO Charles Carmakal calling on the industry to tighten help-desk identity verification immediately.
- The New York Times reporting of Thursday 26 June 2026, picked up by TechCrunch the same day, attributes the 31 August 2025 attack on Jaguar Land Rover to a Russian-speaking criminal group, identified to JLR by Microsoft and worked through jointly by the FBI, the National Crime Agency, the NCSC, Mandiant and Unit 42. The Cyber Monitoring Centre estimates the attack cost the UK economy 1.9 billion pounds, with the supplier base only kept alive by a 1.5 billion pound government loan guarantee.
- Both stories share the same vector that broke Marks and Spencer, Co-op and Harrods in spring 2025: a social-engineering call to the IT help desk that ends in a password reset or a new multi-factor authentication device being registered to the attacker. None of these intrusions started with a clever exploit against an unpatched edge appliance. They started with somebody on the other end of a telephone, pretending to be an employee locked out of an account, persuading a tier-one support agent to do something that looks routine.
- The translation for UK schools, charities and SMBs is an identity-verification problem, not a perimeter problem. Patching, segmentation and complaints pages do not catch a confident caller asking the office manager to reset an MFA device. A 1,200-pupil secondary school, a medium charity with a single office manager and a 40-employee SMB with a managed-service provider are all the surface Scattered Spider, the JLR group and every copycat are probing through the rest of 2026.
- Three jobs fit the fifteen days to the Cyber Security and Resilience Bill's Lords second reading on Tuesday 14 July 2026: write a one-page authorised-action list for help-desk staff that names who can reset which account and what the verification method is; bake a fifteen-to-thirty minute cooling-off delay into every privileged MFA reset in the identity-provider console with line-manager approval; and confirm in writing, with every external supplier who can reset accounts on your behalf, the same cooling-off delay and escalation path - five contractual clauses lifted from the FBI advisory's own language.
Two stories landed on the UK desk between Friday afternoon and the close of last week. On Friday 27 June 2026 the FBI issued a public advisory that the cybercrime crew tracked as Scattered Spider — the same crew that took down Marks & Spencer, Co-op and Harrods between April and May 2025 — has pivoted to the airline sector. Google's Mandiant unit and Palo Alto Networks' Unit 42 followed with their own advisories the same week, with Mandiant's CTO Charles Carmakal calling on the industry to tighten help-desk identity verification immediately. Canada's WestJet, Hawaiian Airlines and Australia's flag carrier Qantas have all confirmed intrusions in the past three weeks. On Thursday 26 June 2026 the New York Times reported, and TechCrunch picked up the same day, that the 31 August 2025 attack on Jaguar Land Rover — the most damaging cyber-attack in British history at an estimated £1.9 billion drag on the UK economy, with the supplier base only kept alive by a £1.5 billion government loan guarantee — has now been attributed by investigators to a Russian-speaking criminal group, identified to JLR by Microsoft and worked through jointly by the FBI, the National Crime Agency, the NCSC, Mandiant and Unit 42.
We have been here before. Both stories share a vector that has already burned through UK retail, is now burning through aviation, and will land on UK schools, charities and SMBs next: the help-desk social-engineering call. None of these intrusions started with a clever exploit against an unpatched edge appliance. They started with a person on the other end of a telephone or a chat window, pretending to be an employee locked out of their account, persuading a help-desk agent to reset a password or register a new multi-factor authentication device — and from there walking straight into the network with valid credentials and a valid second factor. The attacker did not break the door. The attacker convinced somebody to open it.
That is a different problem from the one most of our audience is set up to solve. UK schools, charities and SMBs have spent the last two years patching FortiOS, getting the June 2026 Patch Tuesday CVEs deployed, working through the DUAA Section 164A complaints duty that came into force on 19 June, and digesting the PAC's report on the cyber-resilience of UK museums published on 24 June. These are perimeter and process problems and the answers are technical: patch faster, segment networks, write a complaints page. The help-desk social-engineering vector is not a perimeter problem. It is an identity-verification problem. It is somebody in a tier-one support role, under time pressure, being asked by a confident-sounding caller to do something that looks routine. The patch-Tuesday muscle does not catch it.
The UK touchstones the audience already knows are enough to make the point. At Marks & Spencer, in late April 2025, the breach started at the IT help desk: threat actors impersonated employees, called in with apparently routine login problems, and convinced help-desk staff to reset credentials. The disruption ran into late June and early July 2025, with shelves bare, online orders suspended, and roughly £300 million shaved off annual profit. At Co-op the same playbook ran a few days later, and the UK Cyber Monitoring Centre eventually treated both intrusions as a single Category 2 cyber event with combined costs of £270m to £440m. At Harrods, the publicly-disclosed late-September 2025 third-party breach exposed 430,000 customer records via an unnamed supplier — a different vector from the April attack on Harrods' own systems, but the same shape of supply-chain identity-and-access exposure that runs through every help-desk story. At Jaguar Land Rover, per Thursday 26 June's reporting, social engineering by phone and email — phishing calls plus phishing emails, working an identity layer rather than a software flaw — is what Microsoft and the investigators have now described as the entry path. The audience does not need to be persuaded that the M&S brand was real or that the JLR brand was real. Both names sit on the high street and on the road. Both ran into the same vector. Both are stories the boards and trustees we work with already know about.
The translation to the smaller organisation is the part that needs spelling out. A UK secondary school with 1,200 pupils does not have a dedicated 24/7 IT help desk; it has a head of IT, a network manager and maybe a part-time technician, all of whom answer the phone when somebody calls saying they are locked out. A medium charity does not have a service-desk ticketing system with a 15-minute cooling-off delay on MFA resets; it has an office manager who has the master password to the donor CRM and is regularly asked to reset accounts for staff working from home. A 40-employee SMB does not have an identity-and-access management team; it has a managed-service provider that takes calls from anyone who can quote a serial number or a previous ticket reference. None of these set-ups are negligent. They are normal. They are also exactly the surface Scattered Spider — and the Russian-speaking group that hit JLR, and every copycat that has watched what worked — will be probing through the rest of 2026. The CSBS 2025/2026 numbers we used as the diagnostic baseline in post #25 said 38 per cent of UK businesses identified phishing as their primary attack vector — that figure is the same identity-vector story told through a different keyword.
There are fifteen days between this Monday morning and the Cyber Security and Resilience (Network and Information Systems) Bill's Lords second reading on Tuesday 14 July 2026, which we walked through in post #26. That is enough time for three small jobs. None of them need a procurement cycle and none of them need a budget.
Job One is to write down, on a single side of A4, who in your organisation is authorised to perform a high-risk help-desk action — defined as: resetting a password for any account with administrative privileges or access to personal data; registering a new MFA device; changing a recovery email or recovery phone number; lifting an account lockout on a privileged account; or restoring access for a user who claims to have lost both their device and their backup factor. For each action, write the verification method required and the escalation path. The verification method should not be something an attacker can socially engineer their way through — date of birth, last four digits of a bank account, a manager's name, or a previous ticket reference are all answers attackers have prepared for. The verification method should be either a video call with the user's manager naming the user, a phishing-resistant identity factor along the lines the NCSC has been recommending in its passkey guidance since spring 2026, or — for the smallest organisations — a physical in-person visit before the reset can happen. The page sits on the network manager's wall and on the office manager's wall and is part of the Cyber Resilience Pledge's Action 1 board-ownership work we walked through in post #17.
Job Two is to bake a cooling-off delay into every privileged MFA reset. Mandiant's recommendation to the airline sector — buy security operations a fifteen-to-thirty minute window before any high-risk help-desk action completes, so that a manager can be paged and the change reviewed — translates straight to a small organisation. In practice that is a checkbox in the identity-provider console (Microsoft Entra, Google Workspace, Okta — all of them support some form of delay or approval workflow on privileged account changes), a single rule that says "high-risk MFA reset requires line-manager approval before it completes", and a tested escalation path to whoever is on the duty phone after 5pm. The cooling-off delay is the single highest-leverage change a small organisation can make this fortnight, because it does not require trusting the help-desk agent to resist a confident caller — it makes the time pressure work against the attacker rather than for them.
Job Three is to confirm, in writing, with every external supplier who can reset a user account on your behalf — managed-service provider, payroll vendor, MIS vendor, donor-CRM vendor, finance-system vendor — what their help-desk identity-verification process is and whether they will commit, in the contract or in a written side-letter, to the same cooling-off delay and escalation path you have just set up internally. This is the procurement-questionnaire conversation we flagged in post #20 as the autumn 2026 vector by which the Cyber Security and Resilience Bill's supplier obligations will land on smaller buyers. Doing it now, before the Bill's Lords second reading on 14 July, puts you ahead of the procurement cycle rather than behind it. The contractual standard to ask for is the FBI advisory's own language: verified identity, phishing-resistant MFA, logged change, cooling-off delay, no SMS fallback. That is five clauses.
What is not in this post. We have not predicted whether Scattered Spider's airline campaign will produce a confirmed UK casualty — there is no public reporting that British Airways, easyJet, Virgin Atlantic, Jet2 or Wizz Air UK have been hit, and we are not going to fabricate one for the purposes of urgency. We have not predicted whether the JLR attribution will harden into a formal UK government statement against Russia — it has not as of Monday morning, and Chancellor Reeves's earlier "hostile states like Russia" reference is a year-old framing rather than a fresh one. We have not predicted enforcement posture from the ICO under the Deputy Commissioner following John Edwards's resignation on 19 June — the ICO's "measured approach during the initial transition" remains the only public signal, and we are not going to read more into it than is there. The three jobs above are operational and stand independently of any of those uncertainties.
The Friday afternoon ask. If you are a UK school, charity or SMB and you have read this far, the practical question for this week is whether the person who answers your help-desk phone on Wednesday afternoon would know what to do if a caller said: "Hi, this is Sarah from finance, I am working from home, I have lost my phone, I cannot get into my email and the trustees' meeting starts in twenty minutes — can you just reset my MFA so I can dial in?" If the answer to that question is "they would help her, of course they would", then the Scattered Spider vector is open on your network, and the next attack has the M&S playbook, the JLR playbook, the WestJet playbook and the Hawaiian Airlines playbook to draw on. The three jobs above close it. Fifteen days is enough.
If you would like a second pair of eyes on your help-desk identity-verification process, on the cooling-off delay configuration in your identity provider, or on the supplier side-letters you need to send out before the Bill's 14 July Lords second reading, our team is happy to spend forty-five minutes on a discovery call. The cybersecurity and resilience service page sets out the rest.