Marks & Spencer has confirmed a cyberattack that exposed customer data including names, email addresses, postal addresses, and dates of birth. While payment information and passwords were not accessed, cybersecurity experts warn that the stolen information could still be used in phishing scams or social engineering attacks.
If you’re an M&S customer, here’s what you need to know—and how to protect yourself.
What Information Was Stolen in the M&S Cyberattack?
According to the company, affected data includes:
- Full name
- Email address
- Home address
- Date of birth
M&S has not reported any compromise of:
- Account passwords
- Credit card or payment information
- Transactional history
Still, this partial data can be used in identity-based scams and targeted phishing.
1. Stay Alert for Phishing and Impersonation Scams
Stolen email addresses and names make customers easy targets for phishing attacks. Watch out for:
- Emails pretending to be from M&S or other trusted brands
- Messages asking you to “verify your account” or reset your password
- Attachments or links that lead to fake login pages
What to do:
✔ Never click on suspicious links
✔ Do not open unexpected attachments
✔ Report suspicious emails to M&S directly
2. Reset Your Password—Even If It Wasn’t Stolen
Although M&S says no passwords were accessed, you should still:
- Reset your M&S account password when prompted
- Avoid using the same password across multiple sites
- Use a strong, unique password with a combination of letters, numbers, and symbols
Pro tip: Use a password manager to generate and store secure credentials.
3. Enable Two-Factor Authentication (2FA)
If M&S offers it—or any other services you use—turn on 2FA. This adds an extra layer of protection, requiring a second code to log in.
This means even if someone has your email and password, they can’t access your account without that second verification step.
4. Monitor Your Inbox and Account Activity
Be proactive in watching for signs of compromise:
- Look for suspicious login alerts
- Monitor for unusual emails, especially password reset requests
- Check if your email appears in a data breach using sites like Have I Been Pwned
5. Don’t Share Verification Codes or Personal Info
M&S has warned customers not to disclose security codes, passwords, or personal details via phone, text, or email.
If you receive a message claiming to be from M&S and asking for any personal data—don’t respond. Official communication will never ask for this information directly.
6. Be Cautious with Online Orders and Refunds
Since the M&S website and app remain offline due to the breach:
- Be wary of fake M&S websites or social media ads offering deals
- Verify web addresses before entering any information
- Only return or exchange orders at physical stores until official online channels reopen
7. Follow the Official Updates and Guidance
M&S has said it will update affected customers via:
- Email or SMS
- Prompts on the official M&S website or app
- Public announcements from CEO Stuart Machin
“There is no evidence that the information has been shared, and it does not include card details or passwords,” Machin said.
However, customers are still urged to remain vigilant and practice good cybersecurity hygiene.
Summary: How to Stay Safe After the M&S Data Breach
| ✅ DO | ❌ DON’T |
|---|---|
| Reset your password | Click unknown links |
| Use strong, unique passwords | Reuse old passwords |
| Watch for phishing attempts | Share codes via text or email |
| Enable two-factor authentication | Trust unsolicited communications |
| Monitor account activity | Delay taking precautions |
