UK retailer Marks & Spencer (M&S) has taken urgent steps to secure customer accounts following a cyberattack that compromised the personal data of its customers.ย ย ย ย ย
M&S on Tuesday confirmed it was the target of a cyberattack three weeks ago that exposed customer information, prompting the company to reset passwords for affected users.
According to a FAQ page published on the M&S website, the compromised personal information includes contact details such as name, email address, addresses, telephone number, date of birth, online order history, household information, and โmaskedโ payment card details used for online purchases.
It further added that individuals who may previously have had an M&S credit card or Sparks Pay, their customer reference numbers, which are not their credit card number or payment details, may also have been compromised.
However, the company assured that financial information, such as usable card or payment details, or account passwords, remains secure and has not been compromised. Additionally, there is no evidence that the compromised data has been shared.
M&S Comments
“Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken. Importantly, the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords.
There is no evidence that this data has been shared,โ M&S said in a filing posted to the London Stock Exchange on Tuesday morning.
Following the discovery of the cyberattack, M&S immediately took steps to protect its systems and engaged leading cybersecurity experts.
They have also reported the incident to relevant government authorities and law enforcement, with whom they are working closely work with to investigate the incident.
Meanwhile, the company has reset user passwords with active M&S accounts. The next time they visit or log in to their M&S.com account on the website or app, the users will be prompted to reset their password.
However, M&S is also warning customers to be on alert for fraudulent emails, phone calls, or text messages impersonating M&S, and urged them to treat any such unexpected communication with caution and to never share personal details or passwords with anyone.
“We sincerely apologise for any inconvenience caused to you and all of our customers. Thank you so much for shopping with us and for your support, we never take it for granted,” the company said in aย cyber update.
M&S has not disclosed who was behind the attack or how the hackers gained access, or how many customers have been affected. Meanwhile, customers who believe their information may have been misused are advised to change their passwords immediately.
To help customers stay safe online, M&S has asked its users to be cautious with emails or text messages asking them to click on links. Use strong, unique passwords; enable two-factor authentication where possible; avoid using the same password across multiple accounts; and update software on phones and devices to receive important security updates. Additionally, customers can visit the National Cyber Security Centreโs website: www.ncsc.gov.uk/guidance/data-breaches for more guidance.
M&S says it will continue to provide updates as its investigation progresses.
