Marks & Spencer has said for the first time that some personal customer information was taken in the cyber-attack that has crippled its online operation for more than three weeks.
Since the retailer’s IT systems were hit by a ransomware attack, it has not been taking online orders, and the availability of some products in its stores has been affected after it took some of its systems offline in response.
The company said the data accessed does not include usable payment or card details, nor any account passwords. The Guardian understands the details taken are names, addresses and order histories.
M&S said it had told customers there was no need to take any action, although “for extra peace of mind” they would be prompted to reset their password the next time they log into their M&S account. It did not say how many customers had been affected.
“Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken,” the company said.
“Importantly, the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared.”
The group has not been able to take any orders through its website or app since 25 April as it tries to resolve the problems caused by the attack, which has been linked to the hacking group Scattered Spider.
The retailer said it had taken steps to protect its systems and engaged leading cybersecurity experts. It has reported the incident to relevant government authorities and law enforcement.
after newsletter promotion
The Information Commissioner’s Office confirmed on 2 May that it had received reports from M&S and the Co-op Group, which has also suffered a cyber-attack. The ICO said it was working closely with the National Cyber Security Centre.
Stephen Bonner, the ICO deputy commissioner, said at the time: “We recognise that seeing cyber-attacks in the news can be concerning, especially if you are a customer.” He said the ICO website had advice for people who are worried about their personal information.
Source: theguardian.com
