M&S says personal customer data stolen from recent cyber attacks

Marks & Spencer revealed that some personal customer data were stolen in the recent cyber attacks, which could include phone numbers, home addresses and dates of birth.

The High Street Giant said the personal information obtained may also include online order history, but adding data theft does not include available payment or card details or any account passwords.

M&S was hit by a cyber attack three weeks ago and is working to get the service back to normal, with online orders still being suspended.

The retailer said it will prompt customers to reset their account passwords with “extra confidence”.

According to analysis by Bank of America Global Research, ongoing problems lost £43 million in sales per week.

M&S CEO Stuart Machin said the company is writing to customers to inform them that “unfortunately, some personal customer information has been obtained.”

“It is important that there is no evidence that the information has been shared,” he added.

However, it is understood that hackers can share or sell stolen data as part of an attempt to ransom M&S, which still represents the risk of identity fraud.

The retailer has not disclosed how many customers have been stolen data, but said it has emailed all website users to notify them, reported the case to relevant authorities, and worked with cybersecurity experts to monitor any developments.

According to its previous year results, the company had about 9.4 million active online customers in the year on March 30.

Mr Machin said M&S “works around the clock to get things back to normal as soon as possible”.

Marks and Spencer are not the only retailers suffering from cyber incidents of this nature.

The co-op has experienced a similar attack and is expected to resume online delivery on Wednesday.

The retailer said media reports were first cited in the Grocery Magazine, telling suppliers to prepare for online service recovery.

M&S confirmed that the stolen contact information may include:

• Name
• Date of birth
• telephone number
• Home address
• Family information
• e-mail
• Online ordering history

The retailer added any card information that is not available because it does not retain full card payment details on its system.

M&S said people don't need to take any action, but also said:

• The user will be prompted to reset the password of their online account
• Customers should be cautious because they “may receive emails, phone calls or text messages claimed to be from M&S”
• M&S will never contact you and request personal account information such as username or password

It's about criminals gaining access to information that can be used for identity fraud, said Lisa Barber, a technology editor at the Consumer Group.

“If security is violated and making sure your new password is unique in any other online account, it's always a good idea to change your password as soon as possible,” she said.

Matt Hull, head of threat intelligence at the cybersecurity company NCC Group, said that attackers who stole personal information could use it to “create a very convincing scam.”

“If you are unsure of the authenticity of the email, please do not click any links. Instead, visit the company's website directly to verify any claims.”

The M&S issue started on Easter weekend when customers reported issues with Click & Collect and toction payments in the store.

The company confirmed it is handling “network incidents” and that although in-store services have resumed, online orders on its website and apps have been suspended since April 25.

When online orders resume, there is still no news.

M&S announced that due to the nature of the attack, customer data is expected to be stolen as part of an ongoing cyber attack.

Later hackers also recently targeted the cooperative and Harrods, who used the Dragon Fort Cybercrime Service to conduct an attack.

Dragonforce operates a member cybercrime service on Darknet for anyone to use its malware and website for attacks and ransomware.

The group is known to use a double ransomware method, which means they steal copies of victim data and scramble to make it unusable.

They can then effectively ask for ransom to untie the data and delete their copy.

However, if the hacked person or business does not want to pay the ransom, in some cases, criminals may begin to leak the stolen data to other cybercriminals, who may want to conduct further attacks to acquire more sensitive data.

Currently, Dragonforce's Darknet website does not have any entries about M&S.

Jackie Naghten, a business consultant who has worked with large retailers including M&S, Arcadia and Debenhams, told the BBC that the M&S hierarchy will “very serious” in data breaches, but warns that modern logistics in the retail industry is “very complex.”

“I feel like they're keeping the powder all the time. If they don't have any positive statements, then they're not saying anything.”

Ms Naghten said the entire customer showed great support and sympathy for the retailer.

But she added that it may take “another week” before providing information on when normal service will be restored.

“It's definitely a fate that makes them pay,” she said.

M&S shares have fallen by about 12% over the past month.