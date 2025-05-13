“Now, shoppers might be questioning if M&S is still such a great place to visit” – Russ Mould, AJ Bell

The financial fallout is “piling up” for Marks & Spencer, analysts have warned, after its revelation that customers’ personal data has been taken by hackers.

Chief executive Stuart Machin said the data had been accessed due to the “sophisticated nature of the incident”, though he stressed this does not include payment or card details, or account passwords.

Personal data that could have been accessed includes names, email addresses, postal addresses and dates of birth, according to M&S.

Marks and Spencer is one of the most familiar and longest established names on the British high street.

It is another twist in the tale of cyber woe for one of Britain’s most beloved retailers and a major blow given M&S’s recent run of success has been partly down to its efficiency in managing its multi-channel operations, with web-based click and collect services proving to be particularly popular.

The group has not been able to take any orders through its website or app since April 25 as it tries to resolve the issue. M&S first reported the issue over the Easter weekend, with the incident causing initial problems for the retailer’s contactless payments and click and collect orders, while it has also impacted some product availability in stores.

A hacking group operating under the name Scattered Spider has been reportedly linked to the cyber attack.

In its latest update, M&S did not say how many shoppers had been affected but it has emailed all website customers to alert them about the data breach. It had 9.4 million active online customers in the year to March 30, according to its last full-year results.

Marks & Spencer is still suffering from last month’s cyber attack

In a social media post, Machin said: “We have written to customers today to let them know that unfortunately, some personal customer information has been taken.

“Importantly there is no evidence that the information has been shared and it does not include usable card or payment details, or account passwords, so there is no need for customers to take any action.

“To give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log on to their M&S account and we have shared information on how to stay safe online.”

Greg Zakowicz, senior ecommerce expert at Omnisend, said: “At the moment, the retailer’s advice is to change your account password and ensure it is unique and strong. But as an added layer of security, we would suggest that online customers enable two-factor authentication wherever possible and be cautious of phishing emails or suspicious calls that may use leaked data to appear legitimate.”

The recent spate of cyber attacks has prompted general advice on how companies can remain vigilant.

Susannah Streeter, head of money and markets at investment platform Hargreaves Lansdown, said the revelation that customer details have been stolen was not surprising, given the “deep nature of the breach”.

She said: “The share price has risen in early trade in a beat of relief that the hackers haven’t been able to access ringfenced bank details, and that the company is working with leading cyber security experts and law enforcement. But the update highlights that the cyber chaos is still without end, with the financial damage to the company piling up.

“Every extra day that shoppers are unable to buy online means yet more unsold inventory, and shares are down almost 18 per cent since the crisis unfolded during the Easter weekend.”

She added: “Even though stores are open, many simply don’t stock the popular ranges from online. Fashion sales are likely to be the biggest casualty particularly as the attack has come during the spell of warm weather when summer ranges would ordinarily be piling up in virtual baskets.”

M&S’s annual results, due to be released on May 21, will be watched closely for any update on the financial impact. While M&S shoppers are still unable to buy online, it was able to restart contactless payments in store fairly quickly and said customers can now take online order returns to stores.

Russ Mould, investment director at AJ Bell, warned of the potential wider fallout from the attack.

He said: “Shoppers have faith in the company to provide high quality products and to deliver service with a smile. Now, shoppers might be questioning if M&S is still such a great place to visit. So many people worry about the safety of their information that they might vote with their feet and go elsewhere if there are lingering concerns about the robustness of M&S’s systems.”

Earlier this month, the Information Commissioner’s Office said it was also looking into the M&S attack, as well as a similar major incident involving the Co-operative Group. Meanwhile, luxury department store Harrods confirmed earlier this month it had been affected by an attempted hack and had temporarily restricted internet access across its sites as a precautionary measure. The National Crime Agency has said it is investigating the attacks individually but is “mindful they may be linked”.

Staying safe

Experts said all businesses should be regularly reviewing cyber controls as the threat of attack continues to increase.

Sheila Pancholi, technology risk partner at RSM UK, the audit, tax and consulting firm, said: “Organisations are accountable for effective governance, cyber controls, resilience and importantly robust plans to respond effectively to cyber incidents. The first line of defence against cyberattacks is often employees, so it’s important to also ensure staff are regularly trained and educated on cyber risks and how to spot attempts to access systems via increasingly sophisticated phishing emails, or links to bogus websites.”

David Mound, senior penetration tester at third-party risk management platform SecurityScorecard, said: “For organisations, the lesson is clear: focus on identity security and third-party risk. That means deploying phishing-resistant multi-factor authentication (MFA), restricting administrative access, and training staff, especially helpdesks, to verify who they’re dealing with.

