Marks & Spencer admits customer data was stolen in ransomware attack
But says payment card information and passwords were not taken
Marks & Spencer has admitted that customer data has been stolen during the recent ransomware attack that took many systems and services offline.
The high street retailer said that information including contact details, phone numbers, emails, order history and dates of birth could now be in the hands of cyber criminals, but the company said that no payment card details of passwords had been affected. Nevertheless, customers will be prompted to change their passwords “for extra peace of mind”.
Letters to customers from CEO Stuart Manchin and operations director Jayne Wall have been published on social media and the Investigate site.
Wall said there is “no evidence that information has been shared” but added that customers should be cautious about any communications received from M&S.
Shares in the company rose by 1.4% on the news that customers’ financial details had not apparently been compromised but were still around 15% down on their value on Easter Monday when the cyberattack took place. The company reported a £120 million loss for Q1 2025, mainly due to lost sales and downtime.
It is estimated that the attack, which has been pinned on a loose collective of hackers known as Scattered Spider has cost M&S more than £700 million in lost market value.
Since 25th April M&S has been unable to take online orders. Contactless payments have also been affected, and many services are still not functional three weeks after the attack, with goods sent by mail undelivered and in some cases missing.
In recent days, Harrods and Co-op Group have also confirmed breaches, prompting urgent calls from government officials for businesses to treat cybersecurity with the same seriousness as physical security.
M&S was accused by an insider of being unprepared for a cyberattack, and lacking proper continuity plans.
Commenting on the fallout from the attack, Jake Moore, global cybersecurity advisor at security vendor ESET, said “M&S’s prolonged cyber crisis is a textbook example of how attacks don’t just knock systems offline, they erode brand trust, client share prices and impact sales.”
He added: “When threats like ransomware-as-a-service are so widespread, and attackers are so relentless, it's vital for M&S and others to let this serve as a wake-up call: you can’t afford to wait until after the damage is done.”
Sam Kirkman, director of services, EMEA at security vendor NetSPI warned: “While it is positive that there is ‘no evidence that the information has been shared’, we're not out of the woods yet. Ransomware groups are financially motivated and it is common for them to deploy ‘double extortion’ tactics.”
He continued: “ The personal information stolen in this breach would significantly increase the risk of identity fraud if it is released publicly or shared with other criminals. It is therefore vital that potential victims monitor their credit scores to ensure financial products are not taken out in their name, without their consent. It is also important to remain alert to scams which may leverage this information toward you or your family members to appear more legitimate.”
David Currie, CEO of data security firm Vaultree, said M&S should be supported as it tries to recover from the attack, rather than derided by “ambulance chasers”.
“No matter how robust, mature, or advanced our security practices may be, any organisation could be next,” he said.
“Cybersecurity is a discipline rooted in vigilance, not perfection. We all operate in an increasingly complex threat landscape where attackers only need to succeed once, while defenders must succeed every time. Even the most mature organisations, with well-resourced security teams and advanced tooling, are not immune.
“As cybersecurity leaders, we have a responsibility to build a culture of resilience, empathy, and shared defence. That means learning from one another, supporting one another, and recognising that we are all on the same side.”