Retailer Marks & Spencer has said that customer data – potentially including names, telephone numbers, addresses and dates of birth – were stolen in the cyber attack on its systems three weeks ago, but that payment or card details were not stored by the business.

The attack, which took place three weeks ago, led to widespread disruption for the business, including to online orders which have remained suspended since 25 April. A hacking group operating under the name of Scattered Spider has been linked with the case, as well as another recent major attack on the Co-op.

In an email to customers, Jayne Wall, operations director at M&S, said: “To proactively manage the incident, we immediately took steps to protect our systems and engaged leading cyber security experts. We also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with.

“Unfortunately, the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared. The personal data could include contact details, date of birth and online order history. However, importantly, the data does not include useable card or payment details, and it also does not include any account passwords.”

Ryan McConechy, CTO of Barrier Networks, said: “This is the update nobody wanted, but that most security experts were expecting. Ransomware criminals don't just target organisations to shut down their operations, they want a levy to encourage organisations to pay their demands, and customer data is always the jackpot.

“By compromising customer data, attackers can not only put pressure on organisations to pay for it to be returned, but it also means if the victim doesn’t pay, they can sell the data on to other threat actors on the dark web, enabling them to still monetise from the attack.”

He warns that although bank information does not appear to have been compromised in this attack, the data that has been stolen could be used in phishing attacks against customers. He added: “These phishing emails could be in relation to the Marks and Spencer attack, or criminals could scan the dark web for other personal information relating to impacted customers and jigsaw more complete profiles on them. This could potentially enable them to commit identity fraud, or even gain access to their other online accounts.

“At this time, vigilance is key. Customers should always use caution in the online world, treat emails relating to the breach with care and avoid opening attachments or clicking on links.”

---