M&S says customers’ personal data taken by hackers

Marks & Spencer has revealed customers’ personal data has been taken by hackers after it was hit by a damaging cyber attack.

The retail giant’s chief executive Stuart Machin said the data had been accessed due to the “sophisticated nature of the incident” but stressed that this does not include “usable payment or card details, which we do not hold on our systems”.

There is also no evidence that account passwords have been shared, according to the statement.

M&S did not say how many customers had been affected but in a social media post, Mr Machin said there is “no need for customers to take any action”.

“To give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log on to their M&S account and we have shared information on how to stay safe online,” he said.

M&S had 9.4 million active online customers in the year to 30 March, according to its last full-year results.

A cybersecurity expert told Sky News, however, that the lack of sensitive data being shared “does not mean that customers are not at risk”.

“With simple data such as names, email addresses, and potentially other personal details like addresses or phone numbers, which have been reported as accessed, attackers can use this information to create highly targeted and convincing phishing emails or text messages,” said Tim Grieveson, CSO at ThingsRecon.

“These emails from attackers can appear very legitimate because they use real personal information.”

He added that stolen personal data can be used “as pieces of a puzzle by fraudsters”.

“For example, if an attacker has your name and address, they might combine it with other publicly available information to attempt to open accounts or conduct other fraudulent activities.”

M&S has been struggling for weeks after hackers, reportedly from the Scattered Spider group, attacked their networks.

The British retailer was forced to halt recruitment amid the ongoing attack that became apparent on Easter Monday.

Shelves around the country have been bare and customers are unable to shop online.

Read more from Sky News:
QR codes linked to online drugs
Could UK get US-style ‘supermax’ jails?
Report: IS fighters in UK must face justice

Agency staff at some distribution centres were also told to stay at home because of the attack.

Last week, an M&S insider told Sky News it could be “months” before the retailer fully recovers from an ongoing, severe cyber attack – and that the company had no plan for such an incident.

An employee at M&S’s head office, who spoke to Sky News on condition of anonymity, said that last week had been “just pure chaos”.

“We didn’t have any business continuity plan [for this], we didn’t have a cyber attack plan,” the source said.

“In general, it’s lots of stress. People have not been sleeping, people have spent their weekends working, people sleeping in the office – just reactive response.”

The Co-op also faced a similar major incident and was forced to apologise after hackers managed to access the data of a “significant number” of past and current members.

In the same week, luxury department store Harrods also suffered an attempted hack and temporarily restricted internet access across its sites as a precautionary measure.

The National Crime Agency has said it is investigating the attacks individually but is “mindful they may be linked”.