Michael Race & Joe Tidy
Business reporter & Cyber correspondent, BBC News
BBC
Marks & Spencer has revealed that some personal customer data was stolen in the recent cyber attack, which could include telephone numbers, home addresses and dates of birth.
The High Street giant said the personal information taken could also include online order histories, but added the data theft did not include useable payment or card details, or any account passwords.
M&S was hit by the cyber attack three weeks ago and is struggling to get services back to normal, with online orders still suspended.
The retailer said customers would be prompted to reset account passwords “for extra peace of mind”.
The ongoing problems are costing the retailer £43m a week in lost sales, according to analysis from Bank of America Global Research.
M&S chief executive Stuart Machin said the company was writing to customers to inform them that “unfortunately, some personal customer information has been taken”.
“Importantly, there is no evidence that the information has been shared,” he added.
However, it is understood that the hackers could yet share or sell on the stolen data as part of their attempts to extort M&S, which still represents a risk of identity fraud.
The retailer has not revealed how many of its customers have had their data stolen, but said it had emailed all website users to inform them, reported the case to the relevant authorities and was working with cyber security experts to monitor any developments.
According to its last full-year results, the company had some 9.4 million active online customers in the year to 30 March.
Mr Machin said M&S was “working around the clock to get things back to normal” as quickly as possible.
Marks and Spencer was not the only retailer to suffer a cyber incident of this nature.
The Co-op, which experienced a similar attack, is expected to resume online deliveries, on Wednesday.
Media reports, first cited in The Grocer magazine, say the retailer has told suppliers to prepare for online services to resume.
What has been taken?
M&S confirmed the contact information stolen could include:
namedate of birthtelephone numberhome addresshousehold informationemail addressonline order history The retailer added any card information taken would not be useable as it does not hold full card payment details on its systems.
What should you do?
M&S has said people do not need to take any action, but has also said:
users will be prompted to reset their password for their online accountcustomers should be cautious as they “might receive emails, calls or texts claiming to be from M&S when they are not”M&S will never contact you and ask for personal account information like usernames or passwordsLisa Barber, tech editor at consumer group Which?, said it was concerning that criminals had gained access to information that could be used for identity fraud.
“It’s always a good idea to change your password as soon as possible if there’s been a security breach and to ensure your new password is unique from any other online accounts,” she said.
Matt Hull, head of threat intelligence at cyber security company NCC Group, said attackers who have stolen personal information can use it to “craft very convincing scams”.
“If you’re unsure about an email’s authenticity, don’t click any links. Instead, visit the company’s website directly to verify any claims.”
How did the hack happen?
Problems at M&S began over the Easter weekend when customers reported problems with Click & Collect and contactless payments in stores.
The company confirmed it was dealing with a “cyber incident” and while in-store services have resumed, its online orders on its website and app have been suspended since 25 April.
There is still no word on when online orders will resume.
M&S’ announcement that customer data had been stolen as part of the ongoing cyber attack was expected due to the nature of the attack.
The hackers behind it, who also recently targeted Co-op and Harrods, used the DragonForce cyber crime service to carry out the attacks.
DragonForce operates an affiliate cyber crime service on the darknet for anyone to use their malicious software and website to carry out attacks and extortions.
The group is known to use a double extortion method, which means they steal a copy of their victim’s data as well as scramble it to make it unusable.
They can then effectively ask for a ransom for both unscrambling the data and deleting their copy.
However, if the person or business hacked does not want to pay a ransom, criminals can in some cases start leaking the stolen data to other cyber criminals, who could look to carry out further attacks to gain more sensitive data.
At the moment, DragonForce’s darknet website does not have any entries about M&S.
‘It’s costing them fortunes’
Jackie Naghten, a business consultant who has worked with big retailers including M&S, Arcadia and Debenhams, told the BBC that the hierarchy at M&S would be taking the data breach “very seriously”, but warned modern logistics in retail were “massively complex”.
“I feel they have been keeping their powder dry. If they have not got anything positive to say then they are not saying anything,” she said.
Ms Naghten said on the whole customers were showing a lot of support and sympathy to the retailer.
But she added it was likely M&S had “another week” before it would have to provide information on when normal service would resume.
“It’s absolutely costing them fortunes,” she said.
Shares in M&S are down some 12% over the past month.
