The retailer had initially said last month that no customer data was taken by hackers.
Marks and Spencer (M&S) has revealed that some of its customers’ personal data was stolen during last month’s cyberattack.
In a statement posted to the London Stock Exchange today (13 May), the British retailer elaborated that while personal data was taken by hackers, the stolen information does not include any payment details or account passwords.
It found no evidence to suggest the stolen data has been shared, M&S said.
However, immediately following the attack late last month, the company claimed that no customer data was breached.
At the time, The Register pointed out that users on social media had been reporting issues for days prior to the incident being reported, ranging from returns being impossible to click and collect orders being unavailable in store due to technical difficulties.
The company has since been working with cybersecurity experts and has reported the incident to government authorities and law enforcement.
“We have said to customers that there is no need to take any action,” the company said, although, customers are being asked to reset their Marks and Spencer account password the next time they log on to the site.
Although sensitive financial data has not been leaked according to M&S, Tim Grieveson, a cyber expert and chief security officer at ThingsRecon, warned that customers could still be at risk.
“As we know, these scams are on the rise and might try to convince customers into revealing passwords, financial details or clicking on malicious links.
“Email addresses and other contact information could also be sold to spammers or other malicious actors, leading to an increase in unsolicited emails, calls or texts,” he said.
Late last year, the head of UK’s cybersecurity watchdog, the National Cyber Security Centre, warned that the country’s risk of cyberattacks is “widely underestimated”.
According to its report, there was as 16pc rise in cyberattacks when compared to 2023.
In 2024, the public Wi-Fi at 19 stations across the UK was subjected to a cybersecurity incident, just weeks after Transport for London, the organisation responsible for most of the city’s transport, reported an ongoing incident.
However, the UK’s not the only country at risk. Insurance company Hiscox reported that cyberattacks are “growing in frequency and complexity” throughout Europe.
Its report found that 74pc of surveyed Irish organisations suffered an increase in cyberattacks in 2024.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
