Marks & Spencer confirms consumer data stolen in cyber attack

British department store Marks & Spencer has confirmed that “some personal customer information has been taken” in the wake of its recent cyber attack.

The retailer’s chief executive officer, Stuart Machin, said in a statement that while there was no evidence of the stolen data being shared, customers will be asked to reset their password the next time they log in to their Marks & Spencer account.

It was noted that there was no evidence of usable card details or payment information among the data that was stolen, “so there is no need for customers to take any action” in that regard.

Machin added: “Everyone at M&S is working around the clock to get things back to normal for our customers as quickly as possible, and we are very sorry for any inconvenience they have experienced. Our stores remain open as they have throughout.”

Marks & Spencer confirmed it was dealing with a cyber attack on April 22 and as a result halted its online orders and in-store contactless payments, as well as moved some processes offline, until the situation had been dealt with.

It has been suspected that ransomware group Scatter Spider are behind the attack, and are said to have stolen data as far back as February to help them get into the retailer’s systems.

Marks & Spencer’s own attack was followed by similar moves on other UK retailers, like Co-op and Harrods, both of which confirmed attempts to hijack their systems.