Marks & Spencer confirms customer data stolen in cyber attack

News and Info from Deeside, Flintshire, North Wales

Marks & Spencer has confirmed it has been targeted in a damaging cyber attack that saw customer data accessed, forcing disruption across online operations and distribution centres.

The retailer revealed that information including names, contact details, dates of birth and order history was accessed, although payment information and account passwords were not compromised.

The incident, which came to light over the Easter Bank Holiday, has been linked by some sources to the hacking group Scattered Spider, a collective known for using social engineering to breach systems and extract data.

M&S has not directly confirmed the group’s involvement, but cyber experts and government agencies are investigating.

Online shopping was temporarily suspended and shelves in stores across the UK were left bare in the days following the breach. Recruitment was also paused, and agency staff at some distribution centres were told to stay at home during the height of the disruption.

In a message posted on social media, M&S chief executive Stuart Machin said: “To give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log on to their M&S account and we have shared information on how to stay safe online.”

In a follow-up email to customers, operations director Jayne Wall added: “Unfortunately, the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared. The personal data could include contact details, date of birth and online order history.”

She also warned customers to be cautious of suspicious messages claiming to be from M&S, saying the company would never ask for account details or passwords via email or phone.

The National Cyber Security Centre (NCSC) has issued a statement on the increasing threat facing UK retailers. In a joint blog, NCSC’s National Resilience Director Jonathon Ellison and Chief Technology Officer Ollie Whitehouse described ransomware and extortion attacks as “opportunistic and indiscriminate,” affecting organisations of all sizes.

They said the recent incidents have real-world consequences, adding: “Recovery can be lengthy. And costly.” While the NCSC has not confirmed whether the attacks on retailers form part of a coordinated campaign, it is continuing to work with affected businesses and law enforcement.

The agency also pointed to the use of “ransomware as a service” by hacking groups, enabling relatively inexperienced criminals to launch complex attacks using purchased or shared software.

Companies are being advised to ensure comprehensive multi-factor authentication, review password reset procedures, and monitor for suspicious logins across administrative and cloud accounts.

As investigations continue, M&S said it has engaged specialist cyber security experts and reported the incident to relevant authorities.

Jayne Wall added: “We sincerely apologise for any inconvenience caused to you and all of our customers. Thank you so much for shopping with us and for your support, we never take it for granted.”

[Photo: N Chadwick/licensed for reuse under this Creative Commons Licence]