Marks and Spencer Confirms Data Breach After April Cyber Attack

British multinational retailer Marks and Spencer (M&S) has confirmed a cyber attack that resulted in the theft of customer data in April. The company, which is known for its high-quality clothing, home goods, and food products, announced the incident on its website, stating that threat actors stole sensitive information from its systems.

In April, M&S reported managing a cyber incident with the help of external cybersecurity experts. Customers had been experiencing outages affecting card payments, gift cards, and the company's Click and Collect service across electronic payment systems. Despite these disruptions, the company assured customers that its stores remained open and its website and app continued to operate normally.

The Cyber Incident Update published on the London Stock Exchange explained that M&S had engaged external cybersecurity experts to investigate and manage the incident. The company immediately reported the breach to relevant data protection supervisory authorities and the National Cyber Security Centre, but did not provide technical details about the attack.

M&S is a well-established retailer with a long history dating back to 1884. It operates both physical stores and online services, with a strong presence in the UK and some international markets. The company is listed on the London Stock Exchange (LSE) and is a constituent of the FTSE 100 Index.

The DragonForce group claimed responsibility for the attack on M&S and Co-op, stating that they had attempted to hack Harrods. BleepingComputer reported that DragonForce ransomware affiliates used Scattered Spider social engineering tactics to target Marks and Spencer.

This week, a cybersecurity update published by M&S confirmed the data breach: "To proactively manage the incident, we immediately took steps to protect our systems and engaged leading cybersecurity experts. We also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with."

Unfortunately, the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared. The stolen M&S data may include contact info, birthdate, order history, household data, and masked card details, but not full payment info. Some customer reference numbers from M&S credit cards or Sparks Pay may also be affected.

No action is required from customers, but they should be cautious of potential phishing attempts, as M&S will never request personal account information. "The personal data taken could include contact details – such as name, email address, addresses, telephone number – date of birth, online order history, household information and 'masked' payment card details used for online purchases," states the company.

"In addition, if you have or previously had an M&S credit card or Sparks Pay, your customer reference numbers, which are not your credit card number or payment details, could also be included. Importantly, the data does not include useable card or payment details," adds the company. There is no evidence that the data was shared or included payment info or passwords, but customers will still be prompted to reset their passwords on next login.

M&S recommends being cautious with unexpected emails or texts, using strong and unique passwords for each account, keeping devices updated with the latest security patches, and visiting the UK National Cyber Security Centre website for more guidance on data breaches. As a trusted retailer, M&S is taking steps to protect its customers' sensitive information and ensure their safety online.