M&S has admitted that some personal customer data was stolen in the recent cyber-attack.

As part of its ongoing investigation into the cyber incident from last month, operations director Jayne Wall said the personal data “could include contact details, date of birth and online order history” but stated that “the data does not include useable card or payment details, and also does not include any account passwords.” 

In an email received by SC UK, Wall says that customers “do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious.”

Reset Passwords

It said users will be prompted to reset their password when they next login and “sincerely apologised for any inconvenience caused to you and all of our customers."

Charlotte Wilson, head of enterprise at Check Point Software, said that customers should not assume there is nothing to worry about as even if payment data or passwords were not taken, the personal information that was, such as email addresses, phone numbers, and home addresses, can still be exploited by cyber-criminals.

“This type of data is protected for a reason,” she said. “It can be used to create convincing scams that feel personal and trustworthy. We often see a spike in phishing emails, fake delivery texts, and scam calls after breaches like this, particularly when order history or usernames are involved.  

"This is not about panic, but it is a reminder that cybersecurity is not just about technology. It requires everyday awareness. Avoid unexpected links, treat unsolicited messages with caution, and turn on two-factor authentication wherever possible."

Dr Darren Williams, CEO and founder of BlackFog said that in most cases, the ultimate aim for attackers is to obtain data. "Whilst the retailer has reported that no payment information was compromised, the fact that contact information has been stolen means that customers should be alert to any suspicious messages, calls or emails that claim to be from M&S. It’s a further sign of the escalating risk that all businesses face in this era of cyber-attacks, in which data is their most prized target.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.