Marks & Spencer Confirms Customer Data Stolen in Cyber Attack

Marks & Spencer has confirmed that personal customer data, including names, addresses, and order histories, was stolen in a ransomware cyber-attack that has disrupted its online operations for over three weeks. The company emphasized that no usable payment or card details, nor account passwords, were accessed or shared, as payment information is not stored on its systems. M&S has advised customers that there is no need to take immediate action but recommended resetting passwords for extra security, while warning about potential scam attempts. The attack has caused significant financial losses, with Deutsche Bank estimating a profit hit of at least £30 million and ongoing losses around £15 million per week, although cyber insurance is expected to cover most of the impact. M&S has involved cybersecurity specialists, law enforcement, and government agencies to manage the incident, and the Information Commissioner's Office is investigating the breach alongside the National Cyber Security Centre. Despite the setback, M&S's physical stores remain open, but its share price has fallen due to the ongoing operational disruption.