Marks & Spencer Admits Cybercrooks Made Off With Customer Info

Marks & Spencer has confirmed that customer data was stolen as part of its cyberattack, fueling conjecture that ransomware was involved.

The retail giant’s operations were hit hard, it had to pull systems and services offline, and now data has been exfiltrated – all of which are common hallmarks of a ransomware attack. Yet M&S has neither confirmed nor denied the involvement of ransomware.

In a statement posted to the London Stock Exchange Tuesday morning, M&S said: “Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken. Importantly, the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared.

“We have said to customers that there is no need to take any action. For extra peace of mind, they will be prompted to reset their password the next time they visit or log onto their M&S account, and we have shared information on how to stay safe online.

“We remain grateful for the support that our customers, colleagues, partners, and suppliers have shown us during this time.”

The Register asked M&S for more details about the type of data stolen. It directed us to the customer update displayed on its website, which confirmed names, dates of birth, telephone numbers, home addresses, household information, email addresses, and online order histories could be affected.

We also asked what exactly it meant by “usable payment or card details.” A spokesperson said: “We don’t hold full card payment details on our systems, so it’s masked and not usable.”

M&S is one of the three big British retailers battling cybersecurity troubles alongside the Co-op and Harrods. It detected the intrusion on April 22 and recovery efforts are ongoing.

The incident was widely thought to involve ransomware from the outset, and wider reports suggested the group known as Scattered Spider could be behind the attacks, equipped with DragonForce’s ransomware payload.

DragonForce’s site on the dark web mysteriously went down around the time of the M&S attack but came back online in recent days after a lengthy outage. None of the three retailers appear on the website, and the group’s leadership has not laid claim to any of these attacks.

M&S has experienced various types of operational disruption since the attack was confirmed last month, from its in-store returns function being unavailable, shuttering all online and app orders, to stock shortages at its satellite stores.

Likewise, Co-op has also been dealing with stock issues at various stores across the UK, while luxury goods store Harrods has kept its cards close to its chest with very little public communication.

As ever, cybersecurity experts have warned customers to remain vigilant to phishing attacks now that their data is in the hands of criminals.

Matt Hull, head of threat intelligence at NCC Group, said: “The data breach at M&S is a stark reminder that no organization is completely immune from cyber threats, and that all forms of customer data require stringent protection.

“Despite the absence of financial data or passwords, threat actors could potentially use the stolen information to launch targeted social engineering attacks. Stay vigilant for phishing messages pretending to be from M&S or other companies you’ve dealt with. These attackers might use the leaked M&S information to craft very convincing scams.

“Cybercriminals are also likely to sell this data on the dark web as well, putting customers at even more risk.

“If you’re unsure about an email’s authenticity, don’t click any links. Instead, visit the company’s website directly to verify any claims. This extra step can protect you from falling victim to phishing attacks.”

Since the cyberatack was made public on April 22, the M&S share price has slumped by more than 14 percent, wiping in excess of £1 billion ($1.32 billion) off its market capitalization. ®

Original Source