High street retailer Marks & Spencer says customer data stolen by cyber criminals includes addresses and dates of birth
M&S has been the subject of a major cyber attack. Over the Easter weekend (April 19-21), issues were reported with in-store contactless payments and the online Click & Collect service. The retailer has now revealed that the sizeable attack included the theft of customers’ personal information.
Photo by Samuel Regan-Asante / Unsplash
This stolen data may include names, addresses and online order history – but, says M&S, payment details and passwords were not affected.
It is not yet known how many of the company’s 9.4m active online customers have had data stolen.
Online orders remain suspended three weeks after the attack. There have also been reports of bare shelves in some M&S stores, and delays in recruiting staff.
As required by law, M&S reported the cyber attack to the Information Commissioner’s Office, as confirmed earlier this month. Since then, the regulator has been working with the National Cyber Security Centre to investigate.
The BBC reports that the attack was carried out by the criminal gang called DragonForce, which has recently targeted other retailers Co-op and Harrods. The gang are known to use ‘double extortion’: they take copies of data from their victims – stealing it – then scramble the original so that victims can no longer access it. The victim is then asked to pay a ransom to both access their own data and ensure the copy is deleted.
However, the Guardian and Sky News link the attack on M&S to hacking group Scattered Spider.
In a statement, Stuart Machin, Chief Executive of M&S, said: ‘Unfortunately, some personal customer information has been taken. Importantly, there is no evidence that the information has been shared.’
He added that staff are ‘working around the clock to get things back to normal.’
M&S has emailed customers with online accounts today to notify them of the breach. Customers are advised to reset their passwords, ‘for extra piece of mind.’
Jayne Wall, Operations Director at M&S, adds: ‘You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious. Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.’
In related news:
High adoption of AI produces little economic gain – new study
Cumberland Council hunts for innovation chief to lead on ‘major change’
What we don’t know about automated decision-making in government
Leave a Reply