M&S confirms customer personal data was stolen in recent attack

Marks & Spencer (M&S) has admitted that some customer data was accessed in the recent cyber attack on the company.

The firm said customers will be asked reset their password next time they visit their M&S account as a precaution.

But in a statement the retailer stated: "Importantly, there is no evidence that the information has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action."

M&S has been struggling with the after-effects of the hack since the Easter weekend, having been forced to suspend online and app sales the following week.

Initial reports linked Scattered Spider, a ransomware group known for its high-profile attack on MGM Resorts, to the attack on M&S as well as on The Co-operative Group and Harrods. But in contact with the BBC the group behind the attacks identified itself as ‘DragonForce’ and denied any links with Scattered Spider.

DragonForce could be an official affiliate of Scattered Spider or simply using some of its tools and techniques. Reports around the M&S attack have suggested social engineering was used as an attack vector, the same method used to breach MGM Resorts. Other methods include Telegram and SMS phishing, SIM swapping, and exploiting multi-factor authentication fatigue. Members of the group often pose as IT staff to trick workers into sharing their credentials or granting remote access to their computers.

"While Scattered Spider has not publicly claimed responsibility for the UK retail intrusions, the initial access tactics, cloud exploitation, and social engineering techniques observed in those breaches align closely with the group’s known behaviour," said Adi Bleih, a security researcher at Cyberint.

"It is increasingly likely that Scattered Spider was involved in the early-stage intrusion, which was then followed by ransomware deployment and extortion by DragonForce or one of its affiliates."

M&S said it has been working with external experts to help secure its systems, and has reported the incident to the appropriate government authorities and law enforcement.

Lisa Forte, a partner at Red Goat Security, said that M&S had behaved responsibly and that the attack underlined the strain security teams are under when it comes to reporting breaches.

"This is a hard question to answer, as most of us aren’t working there nor privy to the information they have. So I’m withholding judgement on that, but I will say not speaking sooner puts you at risk the hackers will let it out," she said.

"Conversely, stating this too soon without all the facts and mitigations can cause more panic and even open consumers up to scammer risks. My answer would change dramatically if it were health info or credit card details, for instance."

M&S continues to deal with the incident, with its share price having fallen by 15% since the indecent was first made public. Jake Moore, global cybersecurity advisor at ESET, noted the events are an important reminder of the widespread damage cyber attacks can have on enterprises.

“M&S’ prolonged cyber crisis is a textbook example of how attacks don’t just knock systems offline, they erode brand trust, client share prices and impact sales. With £3.5 million lost, £1.3 billion wiped from its value and online operations still disrupted, the business is clearly feeling the long tail of this breach,” he stated.