M&S says personal customer data stolen in recent cyber attack

Marks & Spencer has revealed that some personal customer data was stolen in the recent cyber attack, which could include telephone numbers, home addresses and dates of birth.

The High Street giant said the personal information taken could also include online order histories, but added the data theft did not include useable payment or card details, or any account passwords.

M&S was hit by the cyber attack three weeks ago and is struggling to get services back to normal, with online orders still suspended.

The retailer said customers would be prompted to reset account passwords “for extra peace of mind”.

M&S chief executive Stuart Machin said the company was writing to customers to inform them that “unfortunately, some personal customer information has been taken”.

“Importantly, there is no evidence that the information has been shared,” he added.

However, it is understood that the hackers could yet share or sell on the stolen data as part of their attempts to extort M&S, which still represents a risk of identity fraud.

The retailer has not said how many of its customers have had their data stolen, but has emailed all website customers to alert them about the data breach.

According to its last full-year results, the company had some 9.4 million active online customers in the year to 30 March.

Mr Machin said M&S was “working around the clock to get things back to normal” as quickly as possible.

M&S confirmed the contact information stolen could include:

• name
• date of birth
• telephone number
• home address
• household information
• email address
• online order history

The retailer added any card information taken would not be useable as it does not hold full card payment details on its systems.

M&S has said people do not need to take any action, but has also said:

• users will be prompted to reset their password for their online account
• customers should be cautious as they “might receive emails, calls or texts claiming to be from M&S when they are not”
• M&S will never contact you and ask for personal account information like usernames or passwords

Lisa Barber, tech editor at consumer group Which?, said it was concerning that criminals had gained access to information that could be used for identity fraud.

“It’s always a good idea to change your password as soon as possible if there’s been a security breach and to ensure your new password is unique from any other online accounts,” she said.

Matt Hull, head of threat intelligence at cyber security company NCC Group, said attackers who have stolen personal information can use it to “craft very convincing scams”.

“If you’re unsure about an email’s authenticity, don’t click any links. Instead, visit the company’s website directly to verify any claims.”

Problems at M&S began over the Easter weekend when customers reported problems with Click & Collect and contactless payments in stores.

The company confirmed it was dealing with a “cyber incident” and while in-store services have resumed, its online orders on its website and app have been suspended since 25 April.

There is still no word on when online orders will resume.

M&S’ announcement that customer data had been stolen as part of the ongoing cyber attack was expected due to the nature of the attack.

The hackers behind it, who also recently targeted Co-op and Harrods, used the DragonForce cyber crime service to carry out the attacks.

DragonForce operates an affiliate cyber crime service on the darknet for anyone to use their malicious software and website to carry out attacks and extortions.

The group is known to use a double extortion method, which means they steal a copy of their victim’s data as well as scramble it to make it unusable.

They can then effectively ask for a ransom for both unscrambling the data and deleting their copy.

However, if the person or business hacked does not want to pay a ransom, criminals can in some cases start leaking the stolen data to other cyber criminals, who could look to carry out further attacks to gain more sensitive data.

At the moment, DragonForce’s darknet website does not have any entries about M&S.

Catherine Shuttleworth, retail analyst from Savvy Marketing, said the latest update was a “further blow for M&S”.

“So far M&S customers have been very supportive of the business in the light of the cyber attack but they will be very concerned that their data has been compromised and will need a good deal of reassurance from the business about what this means for them,” she said.

“M&S is one of the most trusted brands in the land and shoppers hold it to the highest standard.”