The $2M Breach That Started With a Phone Call: What the Scattered Spider Jewelry Retailer Hack Reveals About IGA Coverage Gaps

The $2M Breach That Started With a Phone Call: What the Scattered Spider Jewelry Retailer Hack Reveals About IGA Coverage Gaps

Author: Asher Yartsev, Co-Founder & CTO of Klyro

Author: Asher Yartsev, Co-Founder & CTO of Klyro

Three accounts. That's all it took.

On July 7, 2026, a federal complaint was unsealed in Chicago charging 19-year-old Peter Stokes, an alleged member of the hacking collective Scattered Spider, in connection with the May 2025 breach of a luxury jewelry retailer. The case is fresh, but the attack pattern is not, and that's exactly why it's worth another look. It's a near-perfect case study in what happens when identity governance stops at the login screen.

How three phone calls became 77GB of stolen data

Between May 12 and 15, 2025, attackers called the retailer's IT help desk, posing as locked-out employees. No malware. No exploited vulnerability. Just a convincing voice and an urgent request. Help desk staff reset the passwords (and the mobile devices tied to multi-factor authentication) for three accounts, two of which belonged to IT administrators.

From there, the timeline moved fast:

  • Within hours, attackers had installed ngrok and a second tunneling tool, Teleport, to maintain remote access.

  • They moved data to Amazon cloud storage and exfiltrated at least 77GB.

  • They attempted to deploy ransomware. The retailer's security team caught it and evicted them, a real win.

  • The attackers still sent an $8 million ransom demand. The company didn't pay.

  • Even without a ransomware payout, the breach cost roughly $2 million in disruption, investigation, and cleanup.

Scattered Spider has run this exact playbook against Marks & Spencer, Co-op, Harrods, Caesars, and MGM. It works because it doesn't target software. It targets the gap between "verified" and "actually verified", and it targets accounts that, once compromised, open far more doors than they should.

The part of the story that doesn't make the headlines

Every writeup of this breach (and the M&S, Co-op, and Harrods breaches before it) focuses on the help desk failure and the MFA reset. That's the entry point, and it matters. Phishing-resistant MFA and out-of-band callback verification are table stakes now.

But the entry point isn't the real story. The real story is what happened after the reset: two IT admin accounts, once compromised, gave attackers enough reach to install tunneling software, touch cloud storage, and move 77GB out the door in hours, undetected until the ransomware deployment tripped an alarm.

That's not a help desk problem. That's an entitlement visibility problem.

Most retailers of this size run an IGA platform. Many of them likely had one before this breach. But owning an IGA platform and having complete IGA coverage are two very different things. In practice, the systems most likely to hold outsized privilege (help desk tools, ITSM platforms, cloud storage consoles, admin tooling, anything considered "too custom" or "too niche" to prioritize) are exactly the systems that end up as disconnected apps sitting outside governance. Nobody's watching what those admin accounts can actually reach, because nobody finished building the connector.

When an attacker takes over one of those accounts, the blast radius isn't determined by how good your MFA was. It's determined by how much unmonitored, ungoverned privilege was sitting behind that login the whole time.

Why "we have an IGA platform" isn't the same claim as "we have IGA coverage"

This is the gap we see over and over in breach postmortems, retail included: entitlement sprawl on exactly the accounts (IT admins, service desk tooling, cloud infrastructure) that attackers go after first, because governance coverage stopped short of the systems that matter most under pressure.

Complete coverage means every connector modeled, every entitlement mapped, and every disconnected app brought into governance, not just the SaaS apps that were easy to onboard first. It means that when an IT admin account starts behaving abnormally (new tunneling software, unfamiliar cloud storage access, a burst of data movement), there's a governance layer that actually has visibility into that account's real entitlements to flag it, instead of discovering the anomaly only when ransomware trips a wire.

That's the layer Klyro exists to close. We handle the full lifecycle of IGA integration (connector research, AI-enhanced role modeling, entitlement mapping, and ongoing maintenance) for the systems that typically get left behind, including the "disconnected apps" that don't fit neatly into off-the-shelf connectors. Not a replacement for your existing IGA investment, but the missing piece that turns "we have a platform" into "we have coverage."

The takeaway for retail security teams

Scattered Spider isn't going away because one operator got arrested. Group-IB has described it less as a single gang and more as a loose collective of small cells sharing tools and tactics, the kind of structure that survives individual prosecutions. The next call to your help desk is a matter of when, not if.

You can't fully prevent a convincing enough social engineering attempt. What you can control is what happens after, how far a single compromised admin account can actually reach, and whether anyone would notice before 77GB walks out the door.

If your IGA platform has gaps in the systems that matter most under pressure, that's worth finding out before the next phone call comes in, not after.

Ask yourself the question this retailer couldn't answer in time

If two of your IT admin accounts were reset by an attacker right now, could you tell (in minutes, not after a ransomware alarm) every system, every entitlement, and every disconnected app those accounts could touch? For most retail security teams running an IGA platform, the honest answer is "not fully." The connectors that would give that visibility into help desk tools, cloud storage consoles, and admin tooling are usually the ones that never made it off the backlog, because they're the hardest and slowest to build.

That's the exact gap Klyro closes. We build and maintain the connectors your IGA platform is missing (including the disconnected, non-standard, and admin-tier systems attackers go after first) so that an admin account behaving like this one did gets flagged by your governance layer before it becomes a $2 million cleanup bill.