Marks & Spencer has contacted online customers to warn them that “some personal customer data” was stolen as part of the cyber-attack that has disrupted the company’s systems since 25 April, but said the data didn’t include card or payment details or account passwords.
The data could include contact details, dates of birth and online order history, the retailer said.
In the email, operations director Jane Wall said the data “does not include useable card or payment details, and it also does not include any account passwords”.
‘Peace of mind’
The company said customers do not need to take action, but will be prompted to change their passwords “for extra peace of mind”.
Wall cautioned that the stolen data could be used by hackers to carry out scams.
“You might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious,” she said.
“Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.”
The retailer has not indicated how many of its customers had data stolen, but said it would contact all of them.
It had 9.4 million active online customers in the year to 30 March, according to its most recent full-year results.
The company said it has also reported the matter to the relevant authorities and is working with security experts to monitor developments.
Chief executive chief Stuart Machin said M&S was “working around the clock to get things back to normal” as soon as possible.
Customers began to experience issues over the Easter weekend and M&S halted online orders on 25 April.
While in-store operations have returned to normal, online orders remain suspended and the company has not indicated when they might resume.
Extortion
Hackers who contacted several media outlets to claim responsibility for the M&S hack said it had been carried out using the DragonForce cybercrime service.
The hackers said they were also behind recent attacks on the Co-op and Harrods.
The DragonForce service involves ransomware that encrypts an organisation’s systems as well as stealing data.
Such attacks frequently involve a double-extortion method in which the company is asked for a ransom to restore their data and another one to delete their copy of the stolen data, which is released to the public if the ransom is not paid.
DragonForce’s darknet website currently does not contain an entry for M&S.
Darren Williams, chief executive of security firm BlackFog, said the attack is an indicator of the current era of hacking “in which data is [hackers’] their most prized target”.
