Marks and Spencer has said that some customer data was stolen by hackers who launched a devastating cyber attack that is still affecting shoppers.
In their latest update this morning, they said ‘some customer information has been taken’, however said this did not include ‘useable card or payment details or account passwords, so there is no need for customers to take any action’.
Users would be prompted to change their passwords nevertheless, however, to give them ‘extra peace of mind’.
In the message, chief executive Stuart Machin said: ‘Everyone at M&S is working around hte clock to get things back to normal for our customers as quickly as possible, and we are very sorry for any inconvenience they have experienced. Our stores remain open as they have throughout.’
The high street chain did not say how many customers had been affected.
Shoppers are still unable to buy M&S products online via their website or app due to the cyber attack, while shops have also been hit with empty shelves.
The retailer first blocked online orders on April 25, meaning this is now the third week where a major part of their sales is complete out of action.
A customer service rep wrote on Instagram yesterday: ‘At the moment, we can’t confirm when we’ll be taking orders again on the website. However, we’re working very hard to get operations back online as soon as possible. Our stores remain open as usual and we’re looking forward to welcoming you.’
The incident first caused problems for the retailer’s contactless payments and click and collect orders, while it has also impacted some availability in stores.
Timeline of the cyber attack on M&S
February 2025: Initial Breach?
The exact date of the initial breach has not been confirmed, but cybersecurity experts believe attackers could have infiltrated M&S’s systems as early as February. Before causing any disruption, they could have laid low ensuring they first had deep access to the company’s internal network.
Saturday, April 19: First problems reported
Customers began reporting issues with contactless payments and Click & Collect services across M&S stores over the Easter weekend. At the time, these were thought to be routine technical glitches.
Monday, April 21: Cyber Incident Confirmed
M&S publicly acknowledged a ‘cyber incident’ and began taking internal systems offline to contain the breach. This marked the first official confirmation of a serious issue, with a statement to the stock exchange.
Wednesday, April 23: Click and Collect and Contactless disruption
Customers were told they could no longer use the Click and Collect service, while contactless payments were also suspended. A message to customers apologised for the ‘changes which may inconvenience you’.
Friday, April 25: Online orders suspended
M&S suspended all online orders via its website and mobile apps, with customers only able to browse products online. Service has still not yet been resorted
Tuesday, May 13: Marks confirms customer data stolen
A message to customers acknowledged that personal data had been accessed by hackers, although the company said this did not include usable payment details or passwords.
Marks and Spencer has not been the only major brand affected by a cyber attrack in recent weeks.
Harrods was hit, with upmarket shoppers warned that the company had ‘restricted internet access’, leaving some unable to pay.
Meanwhile, hackers are also thought to have accessed the personal details of shoppers at Co-op.
They claimed to have obtained data related to 20 million customers who signed up to the supermarket’s membership scheme, a number which the company has neither confirmed nor disputed.
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.
MORE: Dad ‘stabs dead his wife, their two kids and himself hours before son’s graduation’
MORE: Neighbour drove couple out of their new home using loud music and power tools
MORE: Brother and sister knifed man to death after ‘row over cannabis’
