The group suspected of hacking the Legal Aid Agency (LAA) may also have been responsible for the cyber attack on Marks & Spencers (M&S) according to retail trade press.
Retail Gazette says the Scattered Spider group, which has been linked to cyber attacks on British retailers this year, could have been working with the Shiny Hunters which has claimed responsiviblity for the attack on the LAA.
Cyber security expert Alan Woodward from the University of Surrey said he saw a “convergence of tactics” between the two groups which suggested they had formed an alliance and was now jointly targeting data.
In August The Times reported the Shiny Hunters had publicly claimed credit for the attack on the LAA via encrypted messaging app Telegram. It issued a ransom demand threatening it would release the ‘Legal Aid Agency Ministry of Justice database’ it accessed through the cyber attack in April of this year; some 2.1m records it is estimated could have been accessed after the Ministry of Justice admitted in a statement the attack had ‘accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service between 2007 and 16 May 2025 when the systems were taken offline’
Despite the ransom threat, no data appears to have been released. A Ministry of Justice spokesperson said at the time
“We will not negotiate with criminals or engage with their ransom demands. It is illegal to share this data and anyone who does so could be sent to prison.”
Woodward further explained the methodology used by Scattered Spider and Shiny Hunters involved one infiltrating online systems before the other worked worked to steal data which could be held to ransom or sold online.
“Scattered Spider often manages to get in, and then the Shiny Hunters are the ones that steal the data and effectively hold it to ransom,”
Brandon Tirado, a director at cybersecurity company ReliaQuest, added
“Rather than it being a formal partnership, they instead work opportunistically. Whilst we don’t know for sure who is behind them, recent arrests in the US and UK indicate that Scattered Spider is predominantly made up of English speakers, whereas Shiny Hunters is more global.”
M&S was hit with a cyber-attack earlier this year, with the retailer initially issuing an apology after customers across the UK were left unable to use contactless payments or click-and-collect services over the Bank holiday weekend in April. Much like the LAA which remains offline, M&S continues to deal with the fallout from the attack.
