The cyber hacking crisis at Marks & Spencer deepened today when the retailer admitted that “personal customer data” had been stolen by the gang behind the attack.
However the company said this did not include “useable payment or card details” or passwords.
But M&S said that for “extra peace of mind” customers will be prompted to change their passwords next time they log in to their online accounts.
It is now more than three weeks since M&S management first became aware their systems had been breached by hackers on Easter Saturday.
Customers have not been able to shop online since April 25 although stores are operating normally.
A slump in the share price has wiped around £1 billion off the value of the company which presents its full year results later this month.
In a social media update chief executive Stuart Machin said: “As we continue to manage the current cyber incident, we have written to customers to let them know that unfortunately some personal information has been taken.
“Importantly there is no evidence that the information has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.
“To give customers extra peace of mind they will be prompted to reset their passwords the next time they visit or log on to their M&S account and we have shared information on how to stay safe online.”
The company added: “As part of our proactive management of the incident, we have taken steps to protect our systems and engaged leading cyber security experts. We have also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with.”
Other retailers including the Co-op and Harrods have also been targetted in recent weeks.
Susannah Streeter, head of money and markets, Hargreaves Lansdown, said: “The revelations that customer details have been stolen is not surprising, given the deep nature of the breach, but it’s yet another setback for the company, which is trying to minimise damage to its reputation.
The saving grace is that the compromised data does not include usable card details or payment data and passwords have not been compromised. But, for peace of mind, customers will be prompted to change their passwords when logging on.
“The share price has risen in early trade in a beat of relief that the hackers haven’t been able to access ringfenced bank details, and that the company is working with leading cyber security experts and law enforcement.
“But the update highlights that the cyber chaos is still without end, with the financial damage to the company piling up. Every extra day that shoppers unable to buy online means yet more unsold inventory, and shares are down almost 18% since the crisis unfolded during the Easter weekend.”
