Marks & Spencer (M&S), a prominent retailer on the High Street, recently disclosed a cyber attack that resulted in the theft of customer data. The stolen information may include personal details such as telephone numbers, home addresses, and dates of birth. Additionally, the compromised data could encompass online order histories. However, M&S assured customers that no usable payment or card details, nor account passwords, were accessed during the breach.
The cyber attack occurred three weeks ago, and M&S is still working to restore its services to normalcy. Online orders remain suspended as the retailer addresses the aftermath of the incident. To enhance security, M&S plans to prompt customers to reset their account passwords.
Stuart Machin, the chief executive of M&S, communicated with customers to inform them of the unfortunate data breach. He emphasized that, to date, there is no evidence suggesting that the stolen information has been shared. Nevertheless, there remains a possibility that the hackers might share or sell the data in an attempt to extort M&S, posing a risk of identity fraud.
Although M&S has not specified the number of customers affected, the company has taken proactive measures by emailing all website users about the breach. The incident has been reported to the relevant authorities, and M&S is collaborating with cybersecurity experts to monitor any developments. According to the company’s last full-year results, M&S had approximately 9.4 million active online customers up to March 30.
Machin reassured customers that M&S is working tirelessly to resolve the issue and restore normal operations as swiftly as possible. The retailer clarified that while contact information may have been stolen, any card information obtained would be unusable, as full card payment details are not stored on their systems. M&S has advised customers that no immediate action is required, though they are encouraged to change their passwords as a precaution.
Lisa Barber, tech editor at consumer group Which?, expressed concern over the breach, highlighting the potential for identity fraud. She recommended that customers change their passwords promptly and ensure they are unique across different online accounts. Matt Hull, head of threat intelligence at cybersecurity firm NCC Group, advised vigilance against potential scams. He suggested that customers verify the authenticity of emails by visiting the company’s website directly rather than clicking on any suspicious links.
The cyber attack at M&S began over the Easter weekend, initially disrupting Click & Collect services and contactless payments in stores. While in-store services have resumed, the suspension of online orders on the M&S website and app has been in effect since April 25. The company has not provided a timeline for when online orders will resume.
The announcement regarding the stolen customer data was anticipated, given the nature of the attack. The perpetrators, who have also targeted other retailers like Co-op and Harrods, utilized the DragonForce cyber crime service. DragonForce operates an affiliate service on the darknet, allowing users to employ their malicious software for attacks and extortions. This group is notorious for using a double extortion method, where they steal a copy of the data and encrypt it to render it unusable. They then demand ransom for both decrypting the data and deleting their copy.
In cases where the victim refuses to pay the ransom, the criminals may leak the stolen data to other cyber criminals, who could exploit it for further attacks. Currently, DragonForce’s darknet website does not mention any entries about M&S.
Catherine Shuttleworth, a retail analyst from Savvy Marketing, remarked that this incident is a significant setback for M&S. Despite the support M&S has received from its customers in light of the cyber attack, the compromise of personal data is a major concern. Customers will require substantial reassurance from the company regarding the implications of the breach. M&S, a brand held in high regard and trusted by consumers, faces the challenge of maintaining its reputation and meeting the high standards expected by its shoppers.