Marks & Spencer confirms customer data stolen in cyberattack

British retailer Marks and Spencer (M&S) announced on Tuesday that it was writing to customers to confirm their personal data had been compromised in a recent cyberattack.

It follows the company announcing in April that it had been managing a cyber incident that was causing disruption to its operations. The share price for M&S — a constituent of the FTSE 100 Index — has dropped 11% over the last month.

Online shopping is still unavailable for M&S customers. While in-person shopping continues, the company’s stores around the country feature empty shelves and laminated signs apologising to customers for “technical issues affecting product availability.”

M&S online customers are being informed today that the compromised data could include their names, home and email addresses, and phone numbers, but not “useable payment or card details, which we do not hold on our systems, and it does not include any account passwords,” the company stated.

“There is no evidence that this data has been shared,” added the M&S statement, which told customers there was no need for them to take any additional actions, although they will be asked to reset their passwords the next time they log in.

It comes as shelves at fellow British retail group the Co-op are running increasingly depleted following another cyberattack detected shortly after the M&S incident. The Co-op is yet to completely relaunch its IT network over fears the hackers still have access to the system and could cause further damage.

A potentially similar attack targeted luxury store Harrods around the same time. While all three incidents have been claimed by the DragonForce ransomware group, such groups are known to make false claims and there has been no independent confirmation of the nature of the attacks.

Britain’s National Cyber Security Centre (NCSC) says it is working with organisations affected by the recent attacks on the retail sector “to understand the nature of the attacks and to minimise the harm done by them,” and that it is “providing advice to the wider sector and economy.”

The NCSC, a part of cyber and signals intelligence agency GCHQ, said: “Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all. We are working with the victims and law enforcement colleagues to ascertain that.”