Marks & Spencer (M&S) has fessed up that personal customer data was stolen in the recent cyber-attack, and that it could include contact details and dates of birth.
The company’s chief executive Stuart Machin said: “As we continue to manage the current cyber incident, we have written to customers to let them know that unfortunately some personal information has been taken.”
He stressed that there is no reason to believe that the information has been shared and it does not include any useable card or payment details, or account passwords. “There is no need for customers to take any action.”
However, to give customers extra peace of mind, he said they will be prompted to reset their passwords the next time they visit or log on to their M&S account. “We have shared information on how to stay safe online.”
M&S added: “As part of our proactive management of the incident, we have taken steps to protect our systems and engaged leading cyber security experts. We have also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with.”
“Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken.”
M&S, one of the best-known names in British business, stopped taking online orders back on April 25, and its share price has fallen 15% since the Easter weekend, when problems with orders first started.
Don’t Assume There’s Nothing to Worry About
Charlotte Wilson, head of enterprise at Check Point Software, commented: “Customers should not assume there is nothing to worry about. Even if payment data or passwords were not taken, the personal information that was, such as email addresses, phone numbers and home addresses, can still be exploited by cybercriminals.
“This type of data is protected for a reason,” she said. “It can be used to create convincing scams that feel personal and trustworthy. We often see a spike in phishing emails, fake delivery texts and scam calls after breaches like this, particularly when order history or usernames are involved.
“Attackers may also try to reset passwords or access other platforms by testing reused login credentials. If phone numbers were accessed, people should be alerted to smishing and vishing attempts. The simple truth is, if you are unsure, do not click. I have seen the ‘free tea in M&S’ scam emails myself, and they will get clicked on by the most unsuspecting. The sad thing is this quickly shifts from being a corporate hack to something that impacts everyday people,” Wilson added.
This Could Trigger Significant Scrutiny
Piyush Pandey, CEO at Pathlock said that from a compliance standpoint, this breach could trigger significant scrutiny under GDPR and UK privacy laws – particularly given the compromise of sensitive personal data, including names, addresses, birthdates, and order histories.
“For enterprises across sectors, the incident underscores the need to move beyond “checkbox” compliance and adopt a comprehensive, policy-driven governance framework, one that continuously monitors adherence to internal controls and dynamically adapts to evolving regulatory requirements and business needs,” Pandey added.
Targeted Acts of Phishing
Chris Linnell, associate director, data privacy at Bridewell, said: “The risk that you could become a victim of fraud after a data breach depends in part on the type of data that was compromised. Given M&S have confirmed that payment card details and account passwords have not been compromised in this data breach, the risk of credit fraud is reduced, which will hopefully come as a relief to impacted consumers.”
That said, Linnell added that threat actors have had access to name and contact details, in addition to online order history, which could be used for spam purposes or more sophisticated phishing attempts. Criminals can use data exposed in breaches to commit targeted acts of phishing by convincing you their communications are from a legitimate source, with the goal of tricking you into handing over more sensitive information or providing access to financial accounts. Recognising common signs of phishing – such as urgent or threatening language, unfamiliar sender addresses, unexpected attachments, and requests for information the sender should already know – can help you protect yourself. Staying alert to these red flags is key to avoiding online scams.”
Watch Out for Fake Messages
“People should watch out for fake messages, as scammers may try to exploit the breach with emails or texts pretending to be from M&S,” commented Dray Agha, senior manager of security operations at Huntress. “If you’re asked for login details or personal info don’t reply, and don’t click suspicious links. Change your password, even if they say you don’t have to. While M&S claims passwords weren’t taken, resetting yours now is a smart move, especially if you reuse it on other websites, and whilst you’re changing that password enable multi-factor authentication (MFA). It adds an extra layer of security to your email and online shopping accounts, and makes it much harder for hackers to break in.”
Agha advised to be extra alert if your name, birthday, and address were compromised. “Check your digital footprint: monitor your accounts for unusual activity and consider using a credit check service to spot identity fraud early.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.