M&S admits hackers stole personal customer data in cyber attack
M&S has told customers that some of their personal data was stolen during the serious cyber attack the company has been battling for three weeks.
The retail giant said that the data does not include useable payment or card details, nor does it include account passwords.
It said there is no need for customers to take any action but that visitors to the website will be prompted to reset their password the next time they log onto their M&S account.
M&S added that there is “no evidence” that the data has been shared.
The FTSE 100 giant first told customers of the “cyber incident” on April 22, and has since been working “day and night” to resolve the issue.
M&S initially saw problems with its contactless payments and click and collect orders, then paused orders through its website and app.
Staff at a key logistics site were told to stay at home due to the continued disruption on Monday, and some stores were left with empty shelves.
Its share price has fallen by 14.6 per cent since the issue was first disclosed.
M&S cyberattack shocks retail industry
Cybercrime experts have warned that retailers with e-commerce platforms are particularly vulnerable to cybercrime due to the amount of payment data they process—UK retailers processed over 48bn payments in 2023.
According to Cisco’s latest index, only four per cent of UK firms are fully prepared to defend against today’s complex cyber threats.
Co-op and Harrods were both affected by cyber attacks in the week following M&S, with the former forced to stop contactless payments at around 10 per cent of its stores.
M&S added that it has “taken steps to protect our systems and engaged leading cyber security experts.”
“We have also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with,” the company said.