M&S urges all customers to make one change after cyber attack exposes data

Marks and Spencer has been hit by a major cyber attack, with hackers managing to access customer personal information

Marks and Spencer has revealed that a cyber attack last month has led to the compromise of customer personal information. CEO Stuart Machin said today (May 13) that the breach was a result of the ‘sophisticated nature of the incident.’

Marks and Spencer (M&S) has reported that hackers may have accessed personal information such as names, email addresses, postal addresses, and dates of birth. However, the company reassured that payment details, card information, and account passwords were not compromised and are not thought to have been exposed online.

Although the precise number of customers affected is not disclosed, the retailer has reached out to all online shoppers via email to inform them of the breach. As of March 30, M&S indicated it had 9.4 million active online customers according to its most recent full-year results, reports Bristol Live.

In a message to customers, M&S has advised that there is “no need for customers to take any action”. CEO Stuart Machin took to the official M&S Instagram account, stating: “As we continue to manage the current cyber incident. We have written to customers today to let them know that unfortunately, some personal customer information has been taken.”

Machin further assured customers by saying: “Importantly, there is no evidence that the information has been shared, and it does not include usable card or payment details, or account passwords, so there is no need for customers to take any action.” Nonetheless, he hinted at recommending a precautionary step for customers the next time they log in online.

“To give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log on to their M&S account,” he said. “We have shared information on how to stay safe online.

“Everyone at M&S is working around the clock to get things back to normal for our customers as quickly as possible, and we are very sorry for any inconvenience they have experienced. Our stores remain open as they have throughout. Thank you for shopping with us and for your continued support, we are incredibly grateful.”

A statement on the M&S website reads: “You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious. We will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.”

What has happened?

Since April 25, M&S has been unable to accept any orders through its website or app whilst it addresses the problem, yet all physical shops are still trading. M&S initially identified the issue over the Easter weekend, which caused a disturbance in contactless payments and click-and-collect offerings, and has also impacted product availability within its stores.

Operations director Jayne Wall said: “To proactively manage the incident, we immediately took steps to protect our systems and engaged leading cyber security experts. We also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with.”

How does it impact you and what actions should you take?

Jayne Wall advises: “You do not need to take any action, but you might receive emails, calls or texts claiming to be from MandS when they are not, so do be cautious. Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.”

For further reassurance, she notes: “To give you extra peace of mind, next time you visit or login to your MandS.com account on our website or app, you will also be prompted to reset your password.” She adds: “We sincerely apologise for any inconvenience caused to you and all of our customers. Thank you so much for shopping with us and for your support, we never take it for granted.”

For more details and safety tips, customers should visit corporate.marksandspencer.com/cyber-update.

What will the password reset prompt look like?

1. When you next go to login on your M&S account, you will enter your account details and click sign in.
2. You will then see a message in red which asks you to click the ‘reset your password’ link.
3. Please click the link and you will be taken to a new webpage on M&S.com.
4. Once there, enter your email address and click the ‘send password reset’ link.
5. You will then receive an email to your registered account from Marks and Spencer Service asking you to reset your password.
6. Please click the ‘reset your password’ button in the email.
7. You will then be taken to a new webpage on M&S.com to enter your new password.
8. Enter and confirm your new password and then click the ‘reset my password’ button.
9. When this has been done, you will see a message to confirm your password has been changed.
10. Remember to use a strong and unique password.

Best ways to stay safe online:

• Be careful if you receive an email or text message asking you to click on a link – check it goes to where you expect it to.
• Use a strong and unique password for your email account, and use different passwords for each account you have.
• Always do your software updates on your phones and devices as they often contain important security updates to protect you.

To ensure your online safety, focus on creating strong and unique passwords, activating multi-factor authentication, and regularly updating your software and devices. Be cautious about the information you disclose, steer clear of suspicious links, and confirm any requests for personal details. Consistently back up your data and think about utilising a VPN for enhanced security, particularly when accessing public Wi-Fi.

It’s been suggested that a hacker collective known as Scattered Spider may be linked to the breach. On May 2, the Information Commissioner’s Office declared it is probing into the matter, which coincides with another significant breach at the Co-op.

In other news, luxury department store Harrods confirmed earlier this month that it was the target of an attempted cyber attack. As a precautionary measure, it has temporarily restricted internet access across its sites. For further assistance, guidance can be found on the government’s National Cyber Security Centre website.