Marks & Spencer has confirmed that personal information belonging to some of its customers was stolen in a recent cyber attack, as the high street retailer continues to battle the aftermath of the breach.
The attack, which occurred three weeks ago, has left parts of M&S’s online services disrupted, with customers still unable to place orders through its website. In a statement on Tuesday, the company acknowledged that stolen data may include customers’ home addresses, telephone numbers, dates of birth, and online order histories.
While no passwords or usable payment details were compromised, the retailer said it was taking precautions to protect customers. All online account holders are being prompted to reset their passwords “for extra peace of mind.”
Chief executive Stuart Machin said M&S had begun contacting affected customers directly. “Unfortunately, some personal customer information has been taken,” he said, but stressed that “there is no evidence that the information has been shared.”
However, cybersecurity experts have warned that stolen data could still be leaked or sold by the attackers, posing a risk of identity theft or fraud. M&S has not disclosed how many customers have been affected, but said it had notified all users of its website about the incident. According to its most recent annual report, the company had approximately 9.4 million active online customers as of March 2024.
The retailer has reported the breach to the Information Commissioner’s Office (ICO) and other relevant authorities. It is also working closely with cybersecurity specialists to investigate the incident and monitor for any further threats.
“We are working around the clock to get things back to normal,” Machin said. “Our priority remains the security of our customers’ data and restoring trust.”
The breach comes amid a growing wave of cyber attacks targeting major retailers and organisations, as hackers increasingly seek to exploit customer data for financial gain. Industry analysts say the incident is likely to raise concerns about data security practices among UK businesses, particularly those with large online operations.
Customers are being urged to remain vigilant for suspicious activity and avoid sharing personal information with unverified contacts. M&S has published guidance on its website to help users protect their data and will continue to provide updates as the investigation progresses.
