The UK retailer Marks & Spencer confirmed on Tuesday that hackers stole its customers’ personal information during a cyberattack last month.
The company said in a brief statement issued through the London Stock Exchange that an unspecified amount of customer information was taken in the data breach.
Here is what we know and don’t know about the hacking, and how consumers who have been affected can protect their data.
What was taken?
The company said that names, addresses, phone numbers, and partial card information could have been accessed as part of the breach.
It is unclear how many customers might have been affected, but the company said it had 9.4 million online customers as per its most recent annual report, which dates to March 2024.
Who is at risk?
While M&S says passwords and payment details were not accessed, the company has warned that there could be additional security risks as a result of the stolen data.
“While it’s reassuring that card and account details don’t appear to have been taken in the M&S cyber incident, it’s concerning that criminals have gained access to information that could be used for identity fraud,” said Lisa Barber, tech editor of consumer rights group Which? said in a statement.
How can consumers protect their data?
Firstly, change the passwords you’ve used for an M&S account, as well as the password for other accounts if it is the same one used elsewhere, ensuring your password is unique from other online accounts.
“M&S customers should also be on the lookout for scammers using the data breach as an opportunity to contact them impersonating legitimate organisations,” said Barber.
You should also treat any contact out of the blue with suspicion and be especially wary of anyone who asks you to verify account details or payment information, she added.
Lastly, don’t give any personal details over the phone or via email, and contact the company directly to check if it’s them.
Who is responsible for the M&S attack?
A ransomware and extortion gang called DragonForce reportedly took credit for the cyberattacks on several UK shops, including Marks & Spencer, according to some UK media reports.
Harrods and the grocery store Co-op were also targeted around the same time M&S was hacked.
Last week, the BBC reported that DragonForce claimed it had the private information of 20 million people who signed up to Co-op’s membership list.
