M&S Confirms Customer Data Breach in Cyber Attack

Marks & Spencer has confirmed it has been the victim of a cyber attack resulting in the theft of some customer personal data, according to an email sent to affected customers today.

The high street retailer said it had taken immediate steps to manage the incident, including engaging leading cyber security experts and reporting the breach to relevant government authorities and law enforcement.

In an email to customers signed by Operations Director Jayne Wall, M&S confirmed that some personal customer data had been stolen in the attack, though there is "no evidence that it has been shared" with third parties.

According to the retailer, the compromised information could include customer contact details such as name, email address, postal addresses and telephone numbers. The breach also potentially exposed dates of birth, online order history and household information, as well as 'masked' payment card details used for online purchases.

M&S clarified that it does not hold full payment card details on its systems, which is why they use the term 'masked'. The company emphasised that the stolen data does not include "useable card or payment details" and does not contain any account passwords.

Additionally, customers who have or previously had an M&S credit card or Sparks Pay may have had their customer reference numbers exposed. However, the company stressed that these are not credit card numbers or payment details.

Customers have been advised they do not need to take any immediate action but should remain vigilant against potential phishing attempts. "You might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious," the company warned.

The retailer reminded customers that it would never contact them requesting personal account information, such as usernames, and would never ask for passwords.

To help customers stay safe online, M&S provided several security tips:

• Be cautious of emails or text messages asking you to click on links, and verify they go to expected destinations
• Use strong, unique passwords for email accounts, and different passwords for each account
• Keep phones and devices updated with the latest software to benefit from security updates
• For additional guidance, visit the government's National Cyber Security Centre website at www.ncsc.gov.uk/guidance/data-breaches

As a precautionary measure, M&S confirmed that customers will be prompted to reset their passwords the next time they log in to their accounts on the company website or mobile application.

In the email, Wall apologised for any inconvenience caused by the incident, stating:

"We sincerely apologise for any inconvenience caused to you and all of our customers."

The company has created a dedicated webpage with further information, FAQs and security advice at corporate.marksandspencer.com/cyber-update.