Personal Information Exposed, But No Payment Data or Passwords Compromised
Marks & Spencer (M&S) has confirmed a customer data breach following a sustained cyberattack that has disrupted its operations for several weeks. While the company reassured customers that no payment details or passwords were compromised, personal data such as contact details, dates of birth, and online order history may have been accessed by attackers.
Details of the Data Breach and Impact on Customers
In an official statement, Jayne Wall, Director of Central Store Operations, said:
“The nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared. The personal data could include contact details, date of birth and online order history. However, importantly, the data does not include usable card or payment details, and it also does not include any account passwords.”
M&S warned customers to be cautious of phishing attempts and fraudulent messages:
“You might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious. Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.”
Customers will be prompted to change their M&S account passwords upon their next login, as a precautionary measure.
Attack Linked to Scattered Spider; Operations Disrupted
The cyberattack, which is reportedly linked to the Scattered Spider hacking group, has led to severe disruptions:
- M&S’s online shopping platform was temporarily shut down
- Some physical store shelves were left empty due to supply chain issues
- Recruitment activities have been paused during system restoration
Despite the disruption, M&S stores have remained open throughout the incident.
CEO Confirms Breach and Apologises
Stuart Machin, CEO of M&S, addressed the issue in a LinkedIn post, confirming that affected customers had been notified. He emphasized that while personal data had been stolen, there is no evidence that the information has been shared or misused.
“Everyone at M&S is working around the clock to get things back to normal for our customers as quickly as possible, and we are very sorry for any inconvenience they have experienced.”
Ongoing Recovery and Customer Caution Urged
The breach highlights the growing threat posed by cyberattacks targeting retail companies, especially those involving customer personal data. While M&S continues to work on restoring full system functionality, customers are urged to stay vigilant against identity theft, phishing attacks, and unauthorized access attempts.
M&S has not yet disclosed how the attackers gained access or how many customer records were affected.
