M&S admits customer data was stolen in cyber attack

Marks & Spencer has acknowledged that customer data was stolen during a cyber attack that has significantly disrupted the retailer’s operations.

The company is now informing affected customers, more than three weeks after the initial incident.

M&S Chief Executive Stuart Machin stated that while some personal customer information was accessed, there is “no evidence that the information has been shared” and it does not include payment details or account passwords. According to the retailer, customers will be prompted to reset their passwords upon their next login.

The cyber attack has had severe consequences for M&S, including the halting of online orders for nearly three weeks, empty shelves in stores and a substantial drop in the company’s share price. M&S has been struggling for weeks, reportedly since the Scattered Spider hacking group attacked its networks.

The company did not disclose the number of affected customers. Mr Machin stated in a social media post (see below) that there is “no need for customers to take any action” but that they would be prompted to change their passwords as a precaution.

The cyber attack, which became apparent on Easter Monday, forced M&S to halt recruitment and caused significant disruptions to its supply chain, resulting in bare shelves and online shopping issues.

An M&S insider revealed to Sky News that the company lacked a proper cyber attack plan and that it could take “months” to fully recover. The source described the situation at M&S’s head office as “just pure chaos,” with staff working long hours and weekends in a reactive response to the incident.

M&S has engaged cybersecurity experts to investigate the breach and implement additional security measures. The company has also reported the incident to the National Cyber Security Centre (NCSC) and the National Crime Agency.

Comments Lisa Barber, Which? Tech Editor:

“While it’s reassuring that card and account details don’t appear to have been taken in the M&S cyber incident, it’s concerning that criminals have gained access to information that could be used for identity fraud.

“It’s always a good idea to change your password as soon as possible if there’s been a security breach and to ensure your new password is unique from any other online accounts.

“M&S customers should also be on the lookout for scammers using the data breach as an opportunity to contact them, impersonating legitimate organisations. You should treat any contact out of the blue with suspicion and be especially wary of anyone who asks you to verify account details or payment information.

“If you are in any doubt about whether a call, email or message is genuine, don’t give any personal details and contact the company directly to check if it’s really them.”

Adds Greg Zakowicz, senior ecommerce expert at Omnisend:

“It will have been a bitter pill to swallow for M&S to admit that the recent cyber attack has put customer data at risk – particularly given the premium image the brand portrays.

“At the moment, the retailer’s advice is to change your account password and ensure it is unique and strong. But as an added layer of security, we would suggest that online customers enable two-factor authentication wherever possible and be cautious of phishing emails or suspicious calls that may use leaked data to appear legitimate.”