Marks & Spencer confirms customer data theft in recent cyberattack

A cyber incident has disrupted operations across M&S’s 1,400 retail outlets. (Photo: Shutterstock)

British retailer Marks & Spencer (M&S) has confirmed that the cyberattack last month compromised customer data, potentially exposing details such as names, phone numbers, home addresses, and birth dates.

The breach occurred on 22 April 2025 and subsequently led to a suspension of online orders beginning 25 April. This incident has disrupted operations across M&S’s 1,400 retail outlets and has been a contributing factor to a 15% decline in the company’s stock value since Easter weekend.

“The nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared,” M&S stated in a corporate update. “The personal data could include contact details, date of birth and online order history. However, importantly, the data does not include usable card or payment details, and it also does not include any account passwords.” M&S CEO Stuart Machin echoed this in a letter posted on the company’s official Facebook page, aiming to alleviate customer concerns.

The cyberattack was executed by DragonForce ransomware affiliates using Scattered Spider social engineering methods to infiltrate M&S’s network. The attackers encrypted VMware ESXi virtual machines on the company’s servers, demanding a ransom to restore control. M&S has since been investigating the breach.

M&S implements password reset protocols

In the corporate update, M&S advised customers to be vigilant against potential phishing attempts. “You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious,” the statement said. “Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.”

As a precaution, all M&S account holders will need to reset their passwords upon their next login attempt on the website or app.

Although M&S has not disclosed the exact number of customers affected, it has taken steps to inform all website users about the breach. The company’s last full-year results indicated that it had approximately 9.4 million active online customers.

The cyberattack on M&S is part of a broader trend affecting the UK retail sector. The Co-op, another retailer, experienced a similar cyber incident recently. The consumer-owned co-operative, which operates over 2,500 supermarkets and 800 funeral homes across the UK, plans to resume its online ordering services for suppliers soon, reported BBC News.

Read more: Harrods becomes third UK retailer this week hit by cyberattack