M&S says customer data stolen in cyber attack

Marks & Spencer has revealed that some personal customer data was stolen in the recent cyber attack, which could include telephone numbers, home addresses and dates of birth.

The High Street giant said the personal information taken could also include online order histories, but added the data theft did not include useable payment or card details, or any account passwords.

M&S was hit by the cyber attack three weeks ago and is struggling to get services back to normal, with online orders still suspended.

The retailer said customers would be prompted to reset account passwords "for extra peace of mind".

The ongoing problems are costing the retailer £43m a week in lost sales, according to analysis from Bank of America Global Research.

M&S chief executive Stuart Machin said the company was writing to customers to inform them that "unfortunately, some personal customer information has been taken".

"Importantly, there is no evidence that the information has been shared," he added.

However, it is understood that the hackers could yet share or sell on the stolen data as part of their attempts to extort M&S, which still represents a risk of identity fraud.

The retailer has not revealed how many of its customers have had their data stolen, but said it had emailed all website users to inform them, reported the case to the relevant authorities and was working with cyber security experts to monitor any developments.

According to its last full-year results, the company had some 9.4 million active online customers in the year to 30 March.

Mr Machin said M&S was "working around the clock to get things back to normal" as quickly as possible.

Marks and Spencer was not the only retailer to suffer a cyber incident of this nature.

The Co-op, which experienced a similar attack, is expected to resume online deliveries, on Wednesday.

Media reports, first cited in The Grocer magazine, say the retailer has told suppliers to prepare for online services to resume.

M&S confirmed the contact information stolen could include:

The retailer added any card information taken would not be useable as it does not hold full card payment details on its systems.

M&S has said people do not need to take any action, but has also said:

Lisa Barber, tech editor at consumer group Which?, said it was concerning that criminals had gained access to information that could be used for identity fraud.

"It's always a good idea to change your password as soon as possible if there's been a security breach and to ensure your new password is unique from any other online accounts," she said.

Matt Hull, head of threat intelligence at cyber security company NCC Group, said attackers who have stolen personal information can use it to "craft very convincing scams".

"If you're unsure about an email's authenticity, don't click any links. Instead, visit the company's website directly to verify any claims."

Problems at M&S began over the Easter weekend when customers reported problems with Click & Collect and contactless payments in stores.

The company confirmed it was dealing with a "cyber incident" and while in-store services have resumed, its online orders on its website and app have been suspended since 25 April.

There is still no word on when online orders will resume.

M&S' announcement that customer data had been stolen as part of the ongoing cyber attack was expected due to the nature of the attack.

The hackers behind it, who also recently targeted Co-op and Harrods, used the DragonForce cyber crime service to carry out the attacks.

DragonForce operates an affiliate cyber crime service on the darknet for anyone to use their malicious software and website to carry out attacks and extortions.

The group is known to use a double extortion method, which means they steal a copy of their victim's data as well as scramble it to make it unusable.

They can then effectively ask for a ransom for both unscrambling the data and deleting their copy.

However, if the person or business hacked does not want to pay a ransom, criminals can in some cases start leaking the stolen data to other cyber criminals, who could look to carry out further attacks to gain more sensitive data.

At the moment, DragonForce's darknet website does not have any entries about M&S.