.png)
2 hours ago
3
Marks & Spencer has revealed that some personal information relating to thousands of customers was taken in the cyber-attack that has crippled its online operation for more than three weeks.
Since the retailer’s IT systems were hit by a ransomware attack over the Easter weekend, it has not been taking online orders, and the availability of some products in its stores has been affected after it took some of its systems offline in response.
The company said on Tuesday that it now realised that some customer data had been accessed but this did not include usable payment or card details, or any account passwords. The Guardian understands the details taken are names, addresses and order histories.
M&S said personal information had been accessed because of the “sophisticated nature of the incident”.
The retailer told customers there was no need to take any action, although “for extra peace of mind” they would be prompted to reset their password the next time they logged into their M&S account. It did not say how many customers had been affected.
“Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken,” the company said.
“Importantly, the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared.”
Security experts warned M&S customers, many of whom have already been targeted by phishing attempts including an offer of a tea hamper in recent months, to be particularly alert for potential phishing emails or texts in the light of the data breach.
In a note to shoppers, Stuart Machin, the retailer’s chief executive, said: “Everyone at M&S is working around the clock to get things back to normal for our customers as quickly as possible, and we are very sorry for any inconvenience they have experienced.”
Analysts at the investment bank Citi said that M&S was likely to face “material fines” because the hackers had been able to access customer data.
More than £1.2bn has been wiped off the value of M&S since it first admitted it had been targeted by hackers amid investor concerns about the financial hit from legal action as well as lost sales from the closure of its website and low availability of some products in stores.
Russ Mould, the investment director at the financial broker AJ Bell, added that the data breach meant M&S “has a big mountain climb to win back shoppers’ trust”.
after newsletter promotion
He said: “Shoppers might be questioning if M&S is still such a great place to visit. So many people worry about the safety of their information that they might vote with their feet and go elsewhere if there are lingering concerns about the robustness of M&S’s systems.”
The group has not been able to take any orders through its website or app since 25 April as it tries to resolve the problems caused by the attack, which has been linked to the hacking group Scattered Spider.
The retailer said it had taken steps to protect its systems and engaged leading cybersecurity experts. It has reported the incident to relevant government authorities and it is being investigated by the Met Police with help from the National Crime Agency.
The Information Commissioner’s Office confirmed on 2 May that it had received reports from M&S and the Co-op Group, which has also suffered a cyber-attack. The ICO said it was working closely with the National Cyber Security Centre. The ICO website provides advice for those worried about their personal data.
The Co-op said this month that hackers had accessed and extracted data relating to a “significant number” of its customers from one of its systems. The information included names and contact details. It did not include passwords or financial information such as bank or credit card details.
Some Co-op stores have had empty shelves as the group has struggled to keep up supplies after being forced to close down parts of its IT systems. Harrods, the luxury department store, was forced to shut down some systems after it was hit by a cyber-attack.
