Marks & Spencer has confirmed that some personal customer data was taken by hackers during the cyber attack at the end of last month.
The retailer stressed that the data accessed did not include usable payment or card details, nor any account passwords. Reports suggested that the details taken were names, addresses and order histories.
M&S said there is also no evidence that this data has been shared, and it was telling customers there was no need to take any action. However, “for extra peace of mind”, they will be prompted to reset their password the next time they log into their M&S account.
The company did not say how many customers had been affected, but its last annual accounts said it had 9.4 million active customers on its online platforms.
Cybersecurity experts noted that the lack of sensitive data being shared “does not mean that customers are not at risk”.
Tim Grieveson, chief security officer at ThingsRecon, told Sky News: “With simple data such as names, email addresses, and potentially other personal details like addresses or phone numbers, which have been reported as accessed, attackers can use this information to create highly targeted and convincing phishing emails or text messages,
“These emails from attackers can appear very legitimate because they use real personal information.”
Since its IT systems were hit by a ransomware attack, M&S has not been taking online orders, and the availability of some products in its stores has been affected.
The company said today that it had taken steps to protect its systems and had engaged leading cybersecurity experts. It has reported the incident to the relevant government authorities and law enforcement.
Last week, Co-op had to stop ordering all but essential goods as it battled to restore its IT systems after a similar cyber attack.
NAM Implications:
- Shoppers patently care less about availability (they change shop)…
- …than they care about breaches of their personal data.
- This becomes a significant credibility issue for M&S.
- i.e. time and effort to rebuild trust…
- …improvements in availability will come second place.
