M&S says customer data stolen in cyber attack

Michael Race & Joe Tidy

Business reporter & Cyber correspondent, BBC News

Marks & Spencer has revealed that some personal customer data has been stolen in the recent cyber attack, which could include contact details and dates of birth.

The High Street giant said the personal information taken could also include online order histories, but added the data theft did not include useable payment or card details, or any account passwords.

M&S was hit by the cyber attack three weeks ago and is struggling to get services back to normal, with online orders still suspended.

The retailer said customers would be prompted to reset passwords for accounts “for extra peace of mind”.

M&S chief executive Stuart Machin said the company was writing to customers to inform them that “unfortunately, some personal customer information has been taken”.

“Importantly, there is no evidence that the information has been shared,” he added.

M&S confirmed the contact information stolen could include:

• name
• date of birth
• telephone number
• home address
• household information
• email address
• online order history

The retailer added any card information taken would not be useable as it does not hold full card payment details on its systems.

M&S operations director Jayne Wall told customers in an email: “You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious.

“Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.”

Mr Machin said M&S was “working around the clock to get things back to normal” as quickly as possible.

Problems at M&S began over the Easter weekend when customers reported problems with Click & Collect and contactless payments in stores.

The company confirmed it was dealing with a “cyber incident” and while in-store services have resumed, its online orders on its website and app have been suspended since 25 April.

There is still no word on when online orders will resume.

M&S’ announcement that customer data had been stolen as part of the ongoing cyber attack was expected due to the nature of the attack.

The hackers behind it, which also recently targeted Co-op and Harrods, used the so-called DragonForce cyber crime service to carry out the attacks.

The group is known to use a double extortion method, which means they steal a copy of their victim’s data as well as scramble it to make it unusable.

They can then effectively ask for a ransom for both unscrambling the data and deleting their copy.

Catherine Shuttleworth, retail analyst from Savvy Marketing, said the latest update was a “further blow for M&S”.

“So far M&S customers have been very supportive of the business in the light of the cyber attack but they will be very concerned that their data has been compromised and will need a good deal of reassurance from the business about what this means for them,” she said.

“M&S is one of the most trusted brands in the land and shoppers hold it to the highest standard.”