M&s Says Customer Data Stolen In Cyber Attack

Marks & Spencer has revealed that immoderate individual customer information was stolen successful nan caller cyber attack, which could see telephone numbers, location addresses and dates of birth.

The High Street elephantine said nan individual accusation taken could besides see online bid histories, but added nan information theft did not see useable costs aliases paper details, aliases immoderate relationship passwords.

M&S was deed by nan cyber onslaught 3 weeks agone and is struggling to get services backmost to normal, pinch online orders still suspended.

The retailer said customers would beryllium prompted to reset relationship passwords "for other bid of mind".

M&S main executive Stuart Machin said nan institution was penning to customers to pass them that "unfortunately, immoderate individual customer accusation has been taken".

"Importantly, location is nary grounds that nan accusation has been shared," he added.

However, it is understood that nan hackers could yet stock aliases waste connected nan stolen information arsenic portion of their attempts to extort M&S, which still represents a consequence of personality fraud.

The retailer has not revealed really galore of its customers person had their information stolen, but said it had emailed each website users to pass them, reported nan lawsuit to nan applicable authorities and was moving pinch cyber information experts to show immoderate developments.

According to its past full-year results, nan institution had immoderate 9.4 cardinal progressive online customers successful nan twelvemonth to 30 March.

Mr Machin said M&S was "working astir nan timepiece to get things backmost to normal" arsenic quickly arsenic possible.

M&S confirmed nan interaction accusation stolen could include:

• name
• date of birth
• telephone number
• home address
• household information
• email address
• online bid history

The retailer added immoderate paper accusation taken would not beryllium useable arsenic it does not clasp afloat paper costs specifications connected its systems.

M&S has said group do not request to return immoderate action, but has besides said:

• users will beryllium prompted to reset their password for their online account
• customers should beryllium cautious arsenic they "might person emails, calls aliases texts claiming to beryllium from M&S erstwhile they are not"
• M&S will ne'er interaction you and inquire for individual relationship accusation for illustration usernames aliases passwords

Lisa Barber, tech editor astatine user group Which?, said it was concerning that criminals had gained entree to accusation that could beryllium utilized for personality fraud.

"It's ever a bully thought to alteration your password arsenic soon arsenic imaginable if there's been a information breach and to guarantee your caller password is unsocial from immoderate different online accounts," she said.

Matt Hull, caput of threat intelligence astatine cyber information institution NCC Group, said attackers who person stolen individual accusation tin usage it to "craft very convincing scams".

"If you're unsure astir an email's authenticity, don't click immoderate links. Instead, sojourn nan company's website straight to verify immoderate claims."

Problems astatine M&S began complete nan Easter play erstwhile customers reported problems pinch Click & Collect and contactless payments successful stores.

The institution confirmed it was dealing pinch a "cyber incident" and while in-store services person resumed, its online orders connected its website and app person been suspended since 25 April.

There is still nary connection connected erstwhile online orders will resume.

M&S' announcement that customer information had been stolen arsenic portion of nan ongoing cyber onslaught was expected owed to nan quality of nan attack.

The hackers down it, who besides precocious targeted Co-op and Harrods, utilized nan DragonForce cyber crime work to transportation retired nan attacks.

DragonForce operates an connection cyber crime work connected nan darknet for anyone to usage their malicious package and website to transportation retired attacks and extortions.

The group is known to usage a double extortion method, which intends they bargain a transcript of their victim's information arsenic good arsenic scramble it to make it unusable.

They tin past efficaciously inquire for a ransom for some unscrambling nan information and deleting their copy.

However, if nan personification aliases business hacked does not want to salary a ransom, criminals tin successful immoderate cases commencement leaking nan stolen information to different cyber criminals, who could look to transportation retired further attacks to summation much delicate data.

At nan moment, DragonForce's darknet website does not person immoderate entries astir M&S.

Jackie Naghten, a business advisor who has worked pinch large retailers including M&S, Arcadia and Debenhams, told nan BBC that nan level astatine M&S would beryllium taking nan information breach "very seriously", but warned modern logistics successful unit were "massively complex".

"I consciousness they person been keeping their powder dry. If they person not sewage thing affirmative to opportunity past they are not saying anything," she said.

Ms Naghten said connected nan full customers were showing a batch of support and sympathy to nan retailer.

But she added it was apt M&S had "another week" earlier it would person to supply accusation connected erstwhile normal work would resume.

"It's perfectly costing them fortunes," she told nan BBC.

Shares successful M&S are down immoderate 12% complete nan past month.