Marks and Spencer (M&S) confirms that customer data was stolen in a cyberattack last month, when ransomware was used to encrypt servers.
The attack occurred on April 22, 2025, significantly impacting business operations on the retailer’s 1,400 stores, forcing it to stop accepting online orders.
BleepingComputer first revealed that the attacks were conducted by DragonForce ransomware affiliates utilizing Scattered Spider social engineering tactics to breach Marks and Spencer’s network. During the attack, the threat actors encrypted VMware ESXi virtual machines hosted on the company’s servers.
Since then, M&S has been investigating the attack and confirmed that the intruders stole sensitive personal information belonging to customers.
This was announced by M&S CEO, Stuart Machin, who posted a letter on the retailer’s official Facebook page.
“As we continue to manage the current cyber incident, we have written to customers today to let them know that unfortunately, some personal customer information has been taken,” states Machin.
“Importantly, there is no evidence that the information has been shared and it does not include usable card or payment details, or account passwords, so there is no need for customers to take any action.”
Despite these assurances, all customers with active M&S accounts will be prompted to reset their password the next time they attempt to log in via the website or app.
An FAQ page published on the M&S website says the following data types have been exposed:
- Full name
- Email address
- Home address
- Phone number
- Date of birth
- Online order history
- Household information
- Sparks Pay reference numbers
- “Masked” payment card details
The term “masked” is unclear, but it could mean that only partial numbers are exposed. BleepingComputer contacted M&S to confirm.
“You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious,” warns M&S.
“We will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.”
Sparks offers will be paused for now, but no specific updates on the status of online order processing or other business disruptions were shared this time.
M&S said it would notify all impacted customers accordingly and promised to share more details when those become available.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
