Marks & Spencer has today admitted that customer data was stolen in the devastating cyber hack that has so far cost it more than a £1billion.
In a fresh update this morning, the retailer warned contact details and dates of births from some shoppers have been snatched by a suspected cyber cartel.
And M&S said other personal details were also pilfered by digital crooks, including customers’ order histories.
However, bosses at the chain have insisted no data relating to shoppers’ payment or card details, or account passwords, had been taken.
It’s unclear how many shoppers have been affected by the major data breach. However, the group had 9.4 million active online customers in the year to March 30, according to its last full-year results.
Stuart Machin, M&S chief executive, said the firm was writing to customers to inform them that ‘unfortunately, some personal customer information has been taken’.
‘Importantly, there is not evidence that the information has been shared,’ he said, adding: ‘Everyone at M&S is working around the clock to get things back to normal for our customers as quickly as possible, and we are very sorry for any inconvenience they have experienced.’
It’s believed M&S could take ‘months’ to recover from the hack over the Easter weekend, which wiped a staggering £1billion off the retailer’s market value.
The hack has cause mayhem for Marks & Spencer meaning it was unable to process online orders. The retailer has now warned some customers’ personal details have been stolen
Pictured is the full letter from M&S’ chief executive Stuart Machin outlining the data breach
British teenagers have been linked to the notorious Scattered Spider hacking group responsible for the cyber attack that continues to cripple Marks & Spencer’s
M&S shares tumbled another 4.7 per cent – meaning the High Street giant has shed over 12 per cent of its value or £1.05billion since the hack. That left M&S with a market capitalisation of £7.4billion.
The latest slump in the share price came as analysts at Deutsche Bank estimated the crisis is costing it £15million in lost profits a week – with a total hit of £30million so far.
M&S has not been able to take any orders through its website or app since April 25 as it tries to resolve the problem.
The incident first caused problems for the retailer’s contactless payments and click and collect orders, while it has also impacted some availability in stores.
In an email to customers today, M&S operations director Jayne Wall said: ‘You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious.
Matt Hull, head of threat intelligence at global cyber security company NCC Group, said the M&S meltdown had been unprecedented.
Warning of the impact, Mr Hull told MailOnline: ‘The data breach at M&S is a stark reminder that no organisation is completely immune from cyber threats, and that all forms of customer data requires stringent protection.’
He added cyber crooks could seek use the data they have allegedly obtained to launch a fresh wave of attack on unsuspecting victims.
‘Despite the absence of financial data or passwords, threat actors could potentially use the stolen information to launch targeted social engineering attacks,’ he warned.
M&S have faced stock issues following the cyber attack which has left many of their shelves empty
More bare fridge shelves inside an M&S supermarket following the cyber attack which crippled the chain
Stuart Machin, M&S chief executive (pictured), said the firm was writing to customers to inform them that ‘unfortunately, some personal customer information has been taken’.
‘Stay vigilant for phishing messages pretending to be from M&S or other companies you’ve dealt with. These attackers might use the leaked M&S information to craft very convincing scams.
‘Cyber criminals are also likely to sell this data on the dark web as well, putting customers at even more risk.’
Scotland Yard detectives are now probing the alleged cyber attack against M&S, which is thought to have been the work of teenage hackers.
Last week, cybercrime group DragonForce claimed responsibility for the ongoing crisis.
The gang also admitted to later carrying out an attack on Co-op, saying ‘personal data such as names and contact details’ had been taken from its membership scheme.
DragonForce, who say their job is ‘not to destroy’, but ‘just take some money and walk away’ claimed more than 90 victims last year and targeted companies across various industries.
The recent attacks have also been linked to the notorious English-speaking teenage hacking gang, Scattered Spider.
The collective of cyber crooks is made up of around 1,000 teenagers and young men across the UK and the US and has been blamed for cyber attacks on other major companies.
The hack has cause mayhem for Marks & Spencer meaning it was unable to process online orders
Pictured is the email M&S customers received following claims some shoppers’ personal details had been taken by cyber crooks during last month’s hack on the retailer
Scattered Spider uses the hacking tools developed by the Russia-linked group known as BlackCat and ALPHV, a possible indication of a business partnership between the groups to share in ransom payments.
However, Investigators believe the attackers on this occasion used a hacking tool from DragonForce, which bills itself as a ‘ransomware cartel’, to carry out the breach.
Scattered Spider has previously been linked with major hacks that incapacitated casino giants MGM Resorts International and Caesers Entertainment.
‘Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.’
The alleged British ringleader of Scattered Spider, Tyler Buchanan, was arrested in Spain last summer, having travelled from London to Barcelona and then on to Palma, Mallorca.
The 23-year-old from Dundee, Scotland, was about to fly to Naples when he was caught by cops at the airport and found to be in control of a cryptocurrency wallet totalling more than $26 million (£20 million) in Bitcoin.
Tyler Buchanan, who has been extradited to the US to face charges relating to his role in Scattered Spider, pictured in 2016
Buchanan being arrested by Spanish police after he fled to Mallorca following an alleged raid on his mother’s home by a rival cyber crime cartel
Buchanan was then extradited to the US on April 23 on charges of conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.
The hacking group is alleged to have targeted employees of companies across the US with phishing text messages and then used the harvested employee credentials to log in and steal non-public company data and information and to hack into virtual currency accounts to steal millions of dollars in cryptocurrency.
Deemed a flight risk, Buchanan was denied bail when he appeared in court in California.
Last week it was reported Buchanan allegedly went on the run after a masked group descended on his mother’s home in Dundee, Scotland.
The crooks were reportedly armed with lit blowtorches and were demanding the passwords for his cryptocurrency accounts.
A neighbour said they had not seen him since the alleged raid on his home in February 2023.
They told The Sun a car turned up and four or five males ‘piled out’ before entering the house and threatening to burn Buchanan with a blowtorch if he refused to give them the information.
According to reports on encrypted messaging app Telegram, which Buchanan was known to frequent under the username ‘Tylerb’, a rival cyber gang hired the men to invade his home.
The same accounts claimed that his mother was assaulted by the intruders.
On Friday May 2, the Information Commissioner’s Office said it is also looking into the cyber attack against M&S, as well as a similar major incident involving the Co-op.
Luxury department store Harrods also confirmed earlier this month it had been impacted by an attempted hack and had temporarily restricted internet access across its sites as a precautionary measure.
The National Crime Agency has said it is investigating the attacks individually but is ‘mindful they may be linked’.
