Marks & Spencer confirms customers’ personal data was stolen in hack

CodeCanyon · May 13

U.K. retail giant Marks & Spencer has confirmed hackers stole its customers’ personal information during a cyberattack last month.

In a brief statement with London’s stock exchange on Tuesday, the retailer said an unspecified amount of customer information was taken in the data breach. The BBC, which first reported the company’s filing, cited a Marks & Spencer online letter as saying that the stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household information and online order histories.

The company also said it was resetting the online account passwords of its customers.

Marks & Spencer continues to experience disruption and outages across its stores, with some grocery shelves remaining empty after the hack affected the company’s operations. The company’s online ordering system for customers also remains offline.

It’s not clear how many individuals’ data was stolen during the hack. When reached by TechCrunch, Marks & Spencer spokesperson Alicia Sanctuary would not say how many individuals are affected and referred TechCrunch to its online statement. Marks & Spencer had 9.4 million online customers as of 30 March 2024, per its most recent annual report.

A ransomware and extortion gang called DragonForce reportedly took credit for the cyberattacks on several U.K. retail giants, including Marks & Spencer, per media reports.

U.K. retailers the Co-op and Harrods were also targeted by hackers at around the same time as Marks & Spencer was hacked. The Co-op initially said there was no evidence that data was compromised, but later said the hackers had stolen customer data. In an update to its website, the Co-op said customer names, dates of birth, home and email addresses, and phone numbers were exfiltrated.

The BBC reported last week that DragonForce claimed it had the private information of 20 million people who signed up to Co-op’s membership program, including current and former members.

The U.K. National Cyber Security Centre said last week that it was “working with the victims and law enforcement colleagues” to understand more about the hacks.