M&S customer data stolen in cyber attack

Marks & Spencer has admitted that customer data was stolen in a cyber attack that has crippled the retailer.

The high street giant said it would be writing to millions of customers on Tuesday to inform them that some of their personal data had been taken more than three weeks after it first confirmed the incident.

Stuart Machin, the chief executive, said: “As we continue to manage the current cyber incident, we have written to customers today to let them know that unfortunately, some personal customer information has been taken.

“Importantly, there is no evidence that the information has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.”

M&S declined to comment on how many customers had been affected. However, The Telegraph understands it will be writing to all customers that have details on its systems to warn them of the breach.

This includes all members of its Sparks loyalty programme and anyone who has shopped on M&S.com.

Mr Machin added that customers would be prompted to reset their password next time they log into its website.

The cyber attack on M&S has forced it to halt online orders for almost three weeks, left shelves empty and wiped more than £1bn off its share price.

The news of the data breach comes more than three weeks after M&S first confirmed the cyber attack, on April 22.

The retailer claims to serve more than 32m customers worldwide, with more than 16m members on its Sparks loyalty programme.

M&S has been working with the National Crime Agency, the National Cyber Security Centre and the Metropolitan police on the incident. It has also called in cyber security experts from Silicon Valley to deal with the fallout and alerted Britain’s data regulator, the Information Commissioner’s Office.

The hack comes amid a spree of attacks on UK retailers. After M&S confirmed it had been breached, Co-op admitted customer data had been stolen. Harrods, the department store group, said it had also been targeted.

The attacks have been blamed on a hacking cartel, known as DragonForce, which has held the retailers to ransom after infiltrating their systems.

Cyber security investigators are also exploring the possibility that a group known as Scattered Spider, a gang of teenage hackers based in the UK and the US, are involved in the crime wave.

The hackers are believed to have tricked IT helpdesk workers into resetting staff passwords, giving them access to internal systems. Once inside, they have attempted to steal data and encrypt the retailers’ IT network, demanding payment to unlock them.

The cyber attack has left M&S unable to process online orders since April 25. Shelves have been left empty as the retailer struggles to get food orders to stores on time, while staff have been forced to abandon handheld scanners and other technology. It has also frozen hiring as it attempts to rebuild its IT systems.

The Co-op has also dramatically reduced its hiring in the wake of the hack. As of Tuesday, around a dozen job openings were available on its website, compared to several hundred ahead of last month’s cyber attack. Co-op has also been forced to divert groceries to stores in remote areas to keep them supplied as it faces its own shortages.

A Co-op spokesman said: “Following proactive measures we’ve taken to protect our systems, we are managing some temporary limitations within our recruitment processes.

“We are focusing on progressing recruitment for priority operational roles. Recruitment activity is ongoing and we’re continuing to keep candidates updated as we progress.”

Last week, Pat McFadden, the Chancellor of the Duchy of Lancaster, said the cyber attacks should serve as a “wake-up call for every business in the UK”.

Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.