Marks & Spencer (M&S) has confirmed that personal customer data was stolen during the cyberattack that disrupted its retail operations last month, escalating a previously opaque incident into a confirmed data breach.
The UK retail giant disclosed the development on May 13 through a message from CEO Stuart Machin and an accompanying customer FAQ, admitting for the first time that attackers had exfiltrated personal information.
M&S | Facebook
The breach, which began impacting M&S systems around April 19, was initially described as a cybersecurity “incident” causing widespread technical disruption in-store and online. In an earlier regulatory filing, the company had stated it was working with external cybersecurity experts and had notified relevant government bodies. At the time, it stopped short of confirming whether any customer data had been compromised. The latest updates now reveal that attackers accessed information including names, contact details, dates of birth, and online order histories.
According to the company, the stolen data may also include household information, customer reference numbers related to M&S credit cards or Sparks Pay, and masked card details, which are partial card numbers used for transactions and not full payment credentials. Crucially, M&S asserts that the breach does not involve account passwords or usable payment card data, as full card numbers are not stored on their systems.
Marks & Spencer Group plc is one of the UK's most established retailers, serving over 32 million customers annually through its expansive network of food halls, clothing stores, and e-commerce platforms. The company has been actively investing in digital transformation, with its online channels representing a growing share of its business. The cyberattack marks a significant setback to those efforts and has already caused business disruptions ranging from suspended online orders to in-store payment outages.
Jayne Wall, M&S's Operations Director, clarified that while customers are not required to take immediate action, heightened caution is advised. The company warned of a potential increase in phishing attempts, such as emails or texts impersonating M&S. Customers have been reminded that M&S will never ask for passwords or personal account information via unsolicited messages. As an additional precaution, all users will be prompted to reset their passwords the next time they log into their accounts.
The retailer has not disclosed the attack vector, threat actor, but there have been separate reports of Scattered Spider deploying DragonForce ransomware on the company's network. The matter has been reported to the UK's Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC), which recently issued urgent guidance for all UK organizations.
If you're an M&S customer, reset your account password immediately and also elsewhere if reused, and stay alert for suspicious emails, texts, or calls claiming to be from M&S.
Leave a Reply