Marks & Spencer, the large British retailer, said on Tuesday that some customer data had been stolen in a cyberattack last month, an incident that has left the company unable to process online orders for weeks.
In an email to customers, M&S said that while some personal data, potentially including contact details and dates of birth, may have been accessed during the attack, there was no evidence that it had been shared. No card or payment details nor account passwords were compromised, the email said.
M&S, which reported more than 13 billion British pounds (roughly $17.2 billion) in annual revenue in the year ending in March 2024, reported the incident to government and law enforcement officials.
The disclosure followed recent attacks on other British retailers. In late April, Harrods experienced brief disruptions, restricting internet access at its sites as a security measure. Co-op, another British retailer, reported that a cyberattack last month caused limited impact to some back office and call center services.
Ransom attacks, which sometimes aim to disrupt services in addition to stealing customer data, have been increasing in frequency and severity. In recent years, hospitals have been crippled by attacks, including in Britain last year, when hospitals had to cancel more than 800 planned operations, and 700 outpatient appointments needed to be rescheduled, including 97 cancer treatments, in the first week after the incident.
It remained unclear who perpetrated the attacks and if they were connected. Britain’s National Cyber Security Center said in a statement this month that it was working with the affected companies.
“These incidents should act as a wake-up call to all organizations,” said Richard Horne, the agency’s chief executive. He urged companies to ensure they had appropriate measures in place to prevent future attacks. The National Cyber Security Center was working to understand the nature of the attacks and to provide counsel to the sector.
