Updated May 13, 4:15pm BST with comment from Harrods.

The personal data of customers at major UK retailer Marks & Spencer (M&S) was accessed during its recent cyber attack, the company confirmed as it informed millions of the breach.

Data on customer names, contact details, home addresses and “‘masked’ payment card details” was accessed by the ransomware attackers, linked by some to the international Scattered Spider network of actors.

In an email sent to all online account holders, Director of Operations Jayne Wall said while the company had protected its systems, “the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared.”

See also: Are retailers treating ransomware like a sexually transmitted infection?

M&S did not provide a number of customers affected but its latest annual report boasted 9.4 million active online customers between March 2023 and 2024, all of whom were informed of the breach.

The alert said names, email addresses, home addresses, telephone numbers, dates of birth, online order histories, household information, and partial or ‘masked’ card details have been stolen: the company explained it "does not hold full payment card details on its systems".

While it did not mention account details, M&S said it would also be prompting all users to change their passwords for "extra peace of mind".

A ransomware retail crisis

The retailer first confirmed it had been victim to an attack on 23 April, when customers reported issues with online orders and the Click & Collect service, both of which were then suspended and currently remain so.

It has stayed quiet about potential perpetrators but, behind the scenes, reports have pointed to Scattered Spider, or Octo Tempest, a loose network of threat actors best known for an attack on MGM Resorts in 2023.

Recent attacks at Harrods and the Co-op group were also tied to the network, though M&S is the only to confirm customer data was accessed as Harrods told The Stack that "it remains the case that we have not seen any evidence of data exfiltration relating to Harrods customers". Co-op has also been asked to confirm if it is aware of customer details being accessed.

All three have been fairly cagey on specific details, i.e. if they really did suffer a ransomware attack and if they subsequently paid up, but the incidents have prompted an investigation by the Information Commissioner.

It's also spotlighted legislation recently put to public consultation that could see all UK organisations prohibited from making ransomware payments and subject to mandatory reporting requirements.

The link has been copied!