Marks and Spencer (M&S) confirms that buyer knowledge was stolen in a cyberattack final month, when ransomware was used to encrypt servers.
The assault occurred on April 22, 2025, considerably impacting enterprise operations on the retailer’s 1,400 shops, forcing it to cease accepting on-line orders.
BleepingComputer first revealed that the assaults have been performed by DragonForce ransomware associates using Scattered Spider social engineering ways to breach Marks and Spencer’s community. In the course of the assault, the menace actors encrypted VMware ESXi digital machines hosted on the corporate’s servers.
Since then, M&S has been investigating the assault and confirmed that the intruders stole delicate private data belonging to prospects.
This was introduced by M&S CEO, Stuart Machin, who posted a letter on the retailer’s official Fb web page.
“As we proceed to handle the present cyber incident, we now have written to prospects as we speak to allow them to know that sadly, some private buyer data has been taken,” states Machin.
“Importantly, there isn’t a proof that the data has been shared and it doesn’t embrace usable card or fee particulars, or account passwords, so there isn’t a want for purchasers to take any motion.”
Regardless of these assurances, all prospects with lively M&S accounts shall be prompted to reset their password the following time they try to log in by way of the web site or app.
An FAQ web page printed on the M&S web site says the next knowledge sorts have been uncovered:
- Full identify
- Electronic mail handle
- Residence handle
- Cellphone quantity
- Date of start
- On-line order historical past
- Family data
- Sparks Pay reference numbers
- “Masked” fee card particulars
An M&S spokesperson instructed BleepingComputer that the bank cards are obfuscated in step with the PCI pointers.
“You don’t want to take any motion, however you may obtain emails, calls or texts claiming to be from M&S when they aren’t, so do be cautious,” warns M&S.
“We are going to by no means contact you and ask you to supply us with private account data, like usernames, and we are going to by no means ask you to offer us your password.”
Sparks affords shall be paused for now, however no particular updates on the standing of on-line order processing or different enterprise disruptions have been shared this time.
M&S mentioned it could notify all impacted prospects accordingly and promised to share extra particulars when these turn out to be obtainable.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and find out how to defend in opposition to them.
