Was my data stolen in M&S cyber attack and when will it be back online?

13 May 2025, 10:47 | Updated: 13 May 2025, 11:10

Marks and Spencer has said that personal data was taken from customers in the cyber attack on its system.

The company’s chief executive Stuart Machin revealed on Tuesday that contact details, order histories and dates of birth are among what was taken.

Telephone numbers, email addresses and home addresses could also have been taken but bank details and passwords were not affected by the attack three weeks ago.

The attack caused M&S to halt all of its online business

Read also: Why are UK retailers being hit by cyber attacks?

“Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken,” Mr Machin said in a statement.

He added: “We remain grateful for the support that our customers, colleagues, partners and suppliers have shown us during this time.”

This is what we know so far.

What happened with the Marks and Spencer cyber attack?

Marks and Spencer has paused all of its online orders since April 25 following a cyber attack on its systems in April.

The incident first caused problems for the retailer’s contactless payments and click and collect orders, while it has also impacted some availability in stores.

The incident is still being investigated but the culprit is thought to be a hacking group operating under the name Scattered Spider.

Also known as Octo Tempest, they are thought to be unusual because they are English and American, with many groups like this typically being based in Russia. Members of the group are thought to be as young as 16 years old.

Has my data been stolen?

Customers with an online account were all emailed on Tuesday with the latest but did not say which customers had been affected.

The type of data that could have been stolen could include the customer’s name, date of birth, telephone number, home address, household information, email address, and online order history.

Mr Machin’s statement said: “Importantly, the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords.

“There is no evidence that this data has been shared.”

What can I do about this?

Customers do not need to do anything.

The only action is that they will be prompted to reset their password the next time they visit or log onto their M&S account.

The company has also shared information on how to stay safe online.

Have online orders been restored?

Not yet. Marks and Spencer has paused all of its online orders due to the cyber attack and, as of May 13, was still working to get the site back up and running.

Why would a hacking group like Scattered Spider attack M&S?

It is not known if Scattered Spider is behind it but it is believed such a hacking group encrypted important Marks and Spencer systems using ransomware.

This technique means that companies are forced to consider a ransom to be able to unlock their systems once again.

Tim Mitchell, a senior security researcher at Secureworks, told The Guardian: "Their motivation appears to be as much about bragging rights on those channels [where they communicate] as about money.”