The shopping giant has contacted customers today (13 May) to confirm that while personal data was taken during the incident, no card details or access to payment options were stolen.
There is also no evidence customer passwords were accessed by the hackers, M&S wrote in a statement to the London Stock Exchange today.
Customers do not need to take any action but will be asked to update their password when they next shop with M&S online.
As part of the retailer’s “proactive management of the incident”, it has drafted the help of cybersecurity experts and reported the event to the Government, which will work with the relevant authorities to investigate the matter.
On 22 April, online orders were cancelled and M&S was forced to pause contactless payments in UK stores following a ransomware attack.
Why Life Insurance Still Matters – Even During a Cost-of-Living Crisis
Sponsored by Post Office
This is where hackers encrypt victims’ data or lock a firm’s online system and demands a ransom from the company so the system can go back to normal.
The issues persisted for the next fortnight for customers, with some stores full of shelves with no stock.
The M&S statement read: “Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken.
“Importantly, the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared.”
It added: “We remain grateful for the support that our customers, colleagues, partners and suppliers have shown us during this time.”
‘Bitter pill to swallow’
Greg Zakowicz, senior ecommerce expert at Omnisend, said: “It will have been a bitter pill to swallow for M&S to admit that the recent cyber attack has put customer data at risk – particularly given the premium image the brand portrays.
“At the moment, the retailer’s advice is to change your account password and ensure it is unique and strong. But as an added layer of security, we would suggest that online customers enable two-factor authentication wherever possible and be cautious of phishing emails or suspicious calls that may use leaked data to appear legitimate.
“While it is reassuring that no payment data or passwords were reportedly compromised, the breach of personal information still poses serious risks – particularly in the form of phishing and identity fraud.”
Zakowicz added: “Heritage brands like M&S often put a lot of focus on the in-store experience, but their online presence must be robust enough to survive the risks that cyber criminals pose.
“Retailers must continue to invest in robust cybersecurity measures that not only protect transactional systems but also safeguard customer data across all digital touchpoints. Transparency and swift communication, as shown by M&S, are critical in maintaining trust during such events.”
