Marks & Spencer has revealed that some personal customer data was stolen during a cyber attack that has crippled its online operations for more than three weeks.
The high street giant disclosed on Tuesday that personal information taken could include names, dates of birth, telephone numbers, home addresses, household information, email addresses and online order histories. However, the company stressed that the data does not include useable payment or card details, which it does not hold on its systems, nor any account passwords.
Stuart Machin, chief executive officer at M&S, said: “Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken.”
He added: “Importantly, there is no evidence that the information has been shared.”
The company has not disclosed how many customers have been affected by the data breach but said customers would be prompted to reset their passwords “for extra peace of mind” the next time they log into their M&S accounts.
In an email to customers, Jayne Wall, operations director at M&S, advised: “You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious. Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.”
M&S began experiencing problems with its systems on 25 April, initially affecting in-store payments before spreading to other parts of the organisation. The retailer has been unable to take online orders since then as it attempts to resolve the issues.
The retailer’s share price has fallen 15 per cent since the Easter weekend when problems with orders first started. Analysts at Deutsche Bank estimated earlier this month that the profit hit would have been at least £30 million, with the run rate at about £15 million a week.
The company stated it had taken steps to protect its systems and engaged leading cybersecurity experts. It has also reported the incident to relevant government authorities and law enforcement.
The Information Commissioner’s Office previously confirmed it had received reports from M&S and was working closely with the National Cyber Security Centre on the matter.
Machin said the company was “working around the clock to get things back to normal” as quickly as possible.
