British retailer Marks & Spencer (M&S) has confirmed that a portion of customer data was compromised in the cyberattack that affected its operation for over three weeks.
The attack, which has disrupted the company’s online operations, resulted in the theft of information, including customers’ online order histories.
Go deeper with GlobalData
However, M&S assured that “useable” payment details and account passwords were not compromised.
In a statement, the company revealed that there was no indication that the stolen data was circulated.
M&S said: “Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken. Importantly, the data does not include useable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared.”
The retailer said that there is no immediate need for action on its customers’ side.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData“For extra peace of mind, they will be prompted to reset their password the next time they visit or log onto their M&S account and we have shared information on how to stay safe online,” M&S added.
The cyber incident was initially reported by M&S on 22 April 2025, when it was discovered that its contactless payment system and online order collection services were affected.
The retailer then took the step of halting transactions on its websites and applications in the UK, Ireland, and selected international platforms on 25 April.
As well as M&S, Co-op and Harrods also experienced similar security breaches.
Meanwhile, the UK’s cyber authority the National Cyber Security Centre (NCSC) said that it is actively collaborating with the affected organisations, providing support and advising the retail sector on enhancing cybersecurity measures.
At this year’s CYBERUK conference, the NCSC unveiled two programmes aimed at bolstering the UK’s cyber defences.
The establishment of the Cyber Resilience Test Facilities (CRTFs) programme marks a significant step toward creating a nationwide network of certified facilities. These facilities are designed to enable technology providers to validate the cyber resilience of their products through a uniform and systematic approach.
In addition to the CTRFs, the NCSC is set to introduce a new scheme known as Cyber Adversary Simulation in the coming months. This scheme will certify companies that offer services to evaluate an organisation’s cyber resilience capabilities.
Specifically, these services will focus on assessing an organisation’s preparedness in preventing, detecting, and responding to simulated cyberattacks.
