Marks & Spencer (M&S) has confirmed that personal customer information was among the items stolen in the recent cyber attack, and that this may include telephone numbers, home addresses and dates of birth.
Online Purchase History Compromised, But No Card Details Affected
The High Street retailer said the personal details stolen may also include online purchasing histories, but said the data theft did not involve usable payment or card details, or account passwords.
M&S was targeted by the Cyber attack three weeks ago and is still trying to get services back to normal, with online orders still suspended.
Password Resets for Customer Accounts
The retailer added customers would be asked to reset account passwords “for extra peace of mind”.
M&S boss Stuart Machin told customers the firm was writing to them to tell them that “regrettably, some personal customer details have been stolen”.
“There is no evidence that the data has been passed on,” he added.
But it is believed the hackers may yet pass on or sell on the stolen data as part of the efforts to blackmail M&S, which is still a threat of identity theft.
Number of Affected Customers Unknown
The store has not said how many of its clients had their information taken, but added that it had written to all users of its website to tell them, reported the incident to the appropriate authorities and was in contact with cyber security specialists to keep any developments under review.
Based on its final full-year results, the firm had around 9.4 million active internet customers in the year ended 30 March.
Mr Machin added M&S was “working around the clock to get things back to normal” as soon as possible.
What Has Been Stolen?
M&S said the contact details stolen may include:
- Name
- Date of birth
- Telephone number
- Home address
- Household information
- Email address
- Online order history
The retailer also said any card details stolen would not be usable because it does not store full card payment details on its systems.
What Should You Do?
M&S has stated that people do not need to do anything, but has also stated:
- Users will be asked to reset their password for their online account
- Customers should be careful as they “might receive emails, calls or texts purporting to be from M&S when they are not”
You will never be contacted by us and asked for personal account details such as usernames or passwords.
Experts Urge Precaution After Breach
Lisa Barber, Which?’s tech editor, said that it was worrying that the criminals had obtained access to the information that was potentially useful for identity fraud.
“It’s always best to change your password as soon as possible if there has been a security breach and make sure your new password is distinct from any other online accounts,” she said.
Matt Hull, threat intelligence leader at cyber security firm NCC Group, said hackers who have stolen personal data can use it to “craft very convincing scams”.
“If you’re unsure about an email’s authenticity, don’t click any links. Instead, visit the company’s website directly to verify any claims.”
Cyber Attack Began During Easter Weekend on M&S
Issues at M&S started during the Easter weekend when shoppers complained of issues with Click & Collect and contactless payments in stores.
The retailer confirmed it was experiencing a “cyber incident” and although in-store services have returned to normal, its online orders on its website and app have been suspended since 25 April.
There is still no indication of when online orders will return.
Cyber Gang Dragon Force Suspected Behind Attack on M&S
M&S’ revelation that customer information had been hacked as part of the recent cyber attack was inevitable given the nature of the attack.
The attackers behind it, who also recently attacked Co-op and Harrods, employed the DragonForce cyber crime service to conduct the attacks.
DragonForce runs an affiliate cyber crime service on the darknet that anyone can use their malware and website to conduct attacks and extortions.
The gang is reported to employ a double extortion tactic, which involves them stealing a backup of their victim’s information and also scrambling it to render it unusable.
They can subsequently validly demand a ransom for both unscrambling the information and erasing their backup.
But if the hacked individual or company refuses to pay ransom, hackers can in certain instances begin leaking the pilfered data to other cyber hackers, who may seek to conduct additional attacks to get more sensitive information.
Currently, DragonForce’s darknet site has no mention of M&S.
Insider Insight on Retail Response of M&S
Jackie Naghten, a consultant who has advised large retailers such as M&S, Arcadia and Debenhams, said the management structure at M&S would be taking the data breach “very seriously”, but cautioned that contemporary logistics in retail were “massively complex”.
“I think they have been keeping their powder dry. If they have nothing good to say then they are not saying anything,” she said.
Ms Naghten reported overall customers were being very supportive and sympathetic to the retailer.
But she said it was probably M&S would have “another week” before it would need to offer details on when business as usual would be resumed.
“It’s costing them absolute fortunes,” she said to the BBC. M&S shares have fallen around 12% in the last month.
