Marks & Spencer, one of the U.K.’s largest retailers, has confirmed that hackers stole customer data during a cyberattack that occurred last month. Reports Technology News
In a brief filing to the London Stock Exchange on Tuesday, the company acknowledged that customer information was compromised in the breach, though it did not specify how many individuals were affected. According to the BBC, which first reported the disclosure, an online letter from Marks & Spencer revealed that the stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household details, and online order histories.
As a precaution, the retailer has begun resetting online account passwords for its customers.
The company continues to face operational disruption in the aftermath of the attack. Some of its stores are still experiencing outages, and grocery shelves remain partially empty. Marks & Spencer’s online ordering system also remains offline as efforts to restore full service continue.
A spokesperson for Marks & Spencer, Alicia Sanctuary, declined to provide further details on the number of affected customers when contacted by TechCrunch, instead referring to the company’s public statement. The company had 9.4 million online customers as of March 30, 2024, according to its most recent annual report.
Media reports have linked the ransomware and extortion group DragonForce to the cyberattacks on several major U.K. retailers, including Marks & Spencer.
Other retailers targeted around the same time include the Co-op and Harrods. While the Co-op initially claimed there was no evidence of data theft, it later confirmed that customer data had been exfiltrated. In an update on its website, the Co-op said that hackers had accessed names, dates of birth, addresses, email addresses, and phone numbers of its customers.
Last week, the BBC reported that DragonForce claimed responsibility for stealing the private information of 20 million individuals who signed up for the Co-op’s membership program, affecting both current and former members.
The U.K. National Cyber Security Centre said last week that it was “working with the victims and law enforcement colleagues” to understand more about the hacks.
