M&S emails 9.4m customers to warn them of data loss

Marks & Spencer has finally confirmed what many industry experts have been predicting since last month that customers’ personal data has been stolen in the ransomware attack which has now entered its third week.

Having consistently rebuffed claims that the data had been compromised, the retailer has now emailed 9.4 million active customers, warning them about the breach, although it has refused to say how many shoppers have been affected.

The email, from operations director Jane Wall, states: “Unfortunately, the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared. The personal data could include contact details, date of birth and online order history.

“However, importantly, the data does not include useable card or payment details, and it also does not include any account passwords.

“You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious. Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.

“To give you extra peace of mind, next time you visit or login to your M&S.com account on our website or app, you will also be prompted to reset your password.

“We sincerely apologise for any inconvenience caused to you and all of our customers. Thank you so much for shopping with us and for your support, we never take it for granted.”

In the meantime, the disruption continues, with online orders still suspended, although all stores remain open.

A hacking group operating under the name Scattered Spider – which is apparently run by teenagers – has been linked to the ransomware attack.

The retailer is set to report its annual results on May 21.

Meanwhile, Co-op has already confirmed that attackers had stolen personal data from a “substantial” number of customers from its cyber attack, although in a email to its 5 million members group CEO Shirine Khoury-Haq insisted a “limited amount” of member data had been compromised. The retailer’s supply chain has been hit hard by the attack, with many shoppers faced with empty shelves.