M&S confirms customer data stolen in cyber attack

Marks and Spencer has told customers that some of their personal data has been stolen following a major cyber attack last month. 

However, it said the data does not include usable payment or card details, which are not held on its systems, and does not include any account passwords. It added there was “no evidence that this data has been shared”.

In its latest update following the attack, Marks and Spencer said customers do not need to take any action, and will be prompted to reset their password the next time they visit or log onto their M&S account “for extra peace of mind”. It will also share information with customers on how to stay safe online. 

The retailer added it has “taken steps to protect our systems” and engaged leading cyber security experts over the incident. 

It also reported the incident to relevant government authorities and law enforcement, who it will “continue to work closely with”.

Last month, Marks and Spencer paused all online orders through both its website and apps following the cyber attack.

In a statement the group said it was “truly sorry for the inconvenience”, and had taken the measure as part of “proactive management”. 

It added that customers could continue to browse products online and shop in stores using cash or card.

The group had previously issued an apology to its customers after its contactless payments and click-and-collect services experienced a widespread outage over the Bank Holiday weekend. 

The major cyber attack has been linked to Scattered Spider, a gang of British and American teenage cyber criminals.

The attack wiped out hundreds of millions of pounds from M&S’s market value, and investigators suspect the breach was carried out using a hacking tool from DragonForce, a group that describes itself as a “ransomware cartel”.

DragonForce typically sells its technology to other hacking groups as “ransomware as a service,” allowing multiple gangs to use it and complicating efforts to attribute blame.

It is understood that a ransomware attack disabled many of the company’s systems. In such cases cyber criminals can encrypt data and demand payment, while also threatening to leak stolen information.