Marks & Spencer Says Customer Data Stolen in Cyber Attack

High Street giant Marks & Spencer has revealed that some personal customer data was stolen in the recent cyber attack, which could include telephone numbers, home addresses and dates of birth. The company said the personal information taken could also include online order histories, but added that the data theft did not include useable payment or card details, or any account passwords.

The retailer was hit by the cyber attack three weeks ago and is struggling to get services back to normal, with online orders still suspended. The company has been facing significant financial losses due to the disruption, with Bank of America Global Research estimating that it costs £43m a week in lost sales. M&S chief executive Stuart Machin said the company was writing to customers to inform them that "unfortunately, some personal customer information has been taken".

"Importantly, there is no evidence that the information has been shared," he added. However, it is understood that the hackers could yet share or sell on the stolen data as part of their attempts to extort M&S, which still represents a risk of identity fraud.

Who Was Affected?

The retailer has not revealed how many of its customers have had their data stolen, but said it had emailed all website users to inform them, reported the case to the relevant authorities and was working with cyber security experts to monitor any developments. According to its last full-year results, the company had some 9.4 million active online customers in the year to 30 March.

What Information Was Stolen?

The contact information stolen could include telephone numbers, home addresses and dates of birth, as well as online order histories. However, the retailer added that any card information taken would not be useable as it does not hold full card payment details on its systems.

What's Next for M&S?

M&S has said people do not need to take any action, but has also warned customers that they should change their passwords as soon as possible if there's been a security breach and ensure their new password is unique from any other online accounts. The company has also offered advice on how to stay scam savvy, including verifying the authenticity of emails before clicking on links.

Customers are still waiting for news on when online orders will resume. M&S' announcement that customer data had been stolen as part of the ongoing cyber attack was expected due to the nature of the attack. The hackers behind it used the DragonForce cyber crime service to carry out the attacks, which also recently targeted Co-op and Harrods.

Expert Analysis

Lisa Barber, tech editor at consumer group Which?, said it was concerning that criminals had gained access to information that could be used for identity fraud. "It's always a good idea to change your password as soon as possible if there's been a security breach and to ensure your new password is unique from any other online accounts," she said.

Matt Hull, head of threat intelligence at cyber security company NCC Group, said attackers who have stolen personal information can use it to "craft very convincing scams". "If you're unsure about an email's authenticity, don't click any links. Instead, visit the company's website directly to verify any claims," he added.

The Impact on M&S

Problems at M&S began over the Easter weekend when customers reported problems with Click & Collect and contactless payments in stores. The company confirmed it was dealing with a "cyber incident" and while in-store services have resumed, its online orders on its website and app have been suspended since 25 April.

There is still no word on when online orders will resume. M&S' announcement that customer data had been stolen as part of the ongoing cyber attack was expected due to the nature of the attack. The hackers behind it used a double extortion method, which means they stole a copy of their victim's data as well as scrambled it to make it unusable.

What Does the Future Hold for M&S?

Jackie Naghten, a business consultant who has worked with big retailers including M&S, Arcadia and Debenhams, told the BBC that the hierarchy at M&S would be taking the data breach "very seriously". However, she warned modern logistics in retail were "massively complex" and it was likely to take several weeks before normal service would resume.

"It's absolutely costing them fortunes," she said. Shares in M&S are down some 12% over the past month, a reflection of the significant financial impact of the cyber attack.