Marks and Spencer cyber attack saga takes another twist as retailer admits customer data stolen

M&S has written to customers informing them that some of their personal data has been taken during a cyber attack.

The retailer was hit by the attack some three weeks ago and is struggling to get services back to normal, with online orders still suspended and many store shelves empty.

The data does not include useable payment or card details, and also any account and passwords. M&S says that it is working with leading cyber experts, government authorities and law enforcement officers.

Shares have risen in early trade but are still down almost 18% since the crisis was sparked.

“The revelations that customer details have been stolen is not surprising, given the deep nature of the breach, but it’s yet another setback for the company, which is trying to minimise damage to its reputation,” says Susannah Streeter, Head of Money and Markets at Hargreaves Lansdown.

“The saving grace is that the compromised data does not include usable card details or payment data and passwords have not been compromised. But, for peace of mind, customers will be prompted to change their passwords when logging on. The share price has risen in early trade in a beat of relief that the hackers haven’t been able to access ringfenced bank details, and that the company is working with leading cyber security experts and law enforcement.”

“But the update highlights that the cyber chaos is still without end, with the financial damage to the company piling up. Every extra day that shoppers unable to buy online means yet more unsold inventory, and shares are down almost 18% since the crisis unfolded during the Easter weekend.”

Marks and Spencer’s recent run of success has been partly down to its efficiency in managing its omnichannel operations, with Click and Collect services proving to be particularly popular. The company has been reducing its store footprint, focusing on smaller food stores where customers can swing buy and pick up products bought online. But this ease of shopping and delivery has now been upended.  

Although store operations are largely back to normal, Click and Collect services remain suspended. Even though stores are open, many don’t stock the popular ranges from online. Fashion sales are likely to be the biggest casualty particularly as the attack has come during the spell of warm weather when summer ranges would ordinarily be piling up in virtual baskets.

While clearly this ongoing situation will inflict considerable financial pain for M&S, there may be a few bright spots in trading conditions for part of the business, Streeter observes.

“The more clement weather is likely to help food sales, where M&S has fared particularly well recently, as shoppers pile into barbeque and picnic ranges, drinks, and snacks. Its tie up with Ocado should also offer resilience, with online grocery orders unaffected by the problems as they are run on an entirely separate system,” she comments.

“The swell of loyalty shown by customers amid the hack attack will also have been heartening to the company, with anecdotal evidence that some shoppers have gone the extra mile and are shopping more in M&S stores in a show of support.’’

No plan in place

Last week, an M&S insider talked to Sky News about chaotic scenes at the UK high street giant as the cyber attack continued to hit hard.

M&S has not said what or who knocked out its online ordering systems, paused deliveries and left empty shelves in stores. But it has been linked to a hacking collective known as Scattered Spider.

The insider told Sky News: “We didn't have any business continuity plan [for this], we didn't have a cyber attack plan. In general, it's lots of stress. People have not been sleeping, people have spent their weekends working, people sleeping in the office - just reactive response."

They added: "The idea is to have some services go back online bit by bit. Not do the whole shebang, but allow the people in the store and to allow people online to have services. We're kind of figuring it out as we go. We're not even allowed to use our work devices, so we're having to use our personal devices, all sorts of things.”

"It's just impossible to work because anything about the incident, we're not allowed to talk about on Teams, which is our usual way of chatting… So we have to use WhatsApp to talk to each other."

There is a "sense of paranoia and therefore not everyone knows everything, because we don't know who has been compromised. They are still trying to figure things out."

An M&S spokesperson said: "We have robust business continuity plans and processes in place for managing incidents, led by an experienced team."

2025 RTIH INNOVATION AWARDS

Cyber security will be a key focus area at the 2025 RTIH Innovation Awards.

The awards, which are now open for entries, celebrate global tech innovation in a fast moving omnichannel world.

Our 2024 hall of fame entrants were revealed during an event which took place at RIBA’s 66 Portland Place HQ in Central London on 21st November, and consisted of a drinks reception, three course meal, and awards ceremony presided over by comedian Lucy Porter.

In his welcome speech, Scott Thompson, Founder and Editor, RTIH, said: “The event is now into its sixth year and what a journey it has been. The awards started life as an online only affair during the Covid outbreak, before launching as a small scale in real life event and growing year on year to the point where we’re now selling out this fine, historic venue.”

He added: “Congratulations to all of our finalists. Many submissions did not make it through to the final stage, and getting to this point is no mean feat. Checkout-free stores, automated supply chains, immersive experiences, on-demand delivery, next generation loyalty offerings, inclusive retail, green technology. We’ve got all the cool stuff covered this evening.”

“But just importantly we’ve got lots of great examples of companies taking innovative tech and making it usable in everyday operations - resulting in more efficiency and profitability in all areas.”

Congratulations to our 2024 winners, and a big thank you to our sponsors, judging panel, the legend that is Lucy Porter, and all those who attended November's gathering. 

For further information on the 2025 RTIH Innovation Awards, please fill in the below form and we will get back to you asap.