What we know about it and the impact it’s having

Marks & Spencer has revealed that some customer data was stolen during a recent cyber attack targeting the retailer.

The company has been struggling to get services back to normal since the attack in April, which left some shelves empty, deliveries in limbo and online orders suspended.

It told customers on Tuesday to remain cautious about receiving emails, calls or texts claiming to be from M&S.

Here’s what we know about the attack and the impact it is still having.

M&S has now revealed that some personal customer data was stolen during the attack.

It says information taken could include contact details such as people’s names, home addresses, phone numbers or email addresses.

Dates of birth and online order history may also be among the data stolen.

But it does not include useable payment or card details, or account passwords, M&S says.

The retailer will prompt customers to reset passwords for “peace of mind”.

It adds that while users do not need to take any action, they should remain alert to possible attempts to extract or misuse their information.

M&S’s problems began over the Easter weekend, with customers reporting problems with Click & Collect and contactless payments.

The company confirmed it was dealing with a “cyber incident” and although those services have resumed, on Friday 25 April, it paused online orders on its website and apps.

Now, more than two weeks on, there is still no word on when online orders will resume.

It is understood that customers who have received a ready-to-collect email can pick up their order in store, and orders placed after Wednesday 23 April will be refunded.

Some stores were also missing certain food items, after the firm took some of its systems offline.

Signs on empty shelves read: “Please bear with us while we fix some technical issues affecting product availability.”

It is understood the availability of groceries in the majority of food halls improved over the early May Bank Holiday weekend.

However, later reports suggested that some stores did not have all the items needed to make up meal deal offers.

An M&S spokesperson said: “Customers can still buy meal deals in our rail station stores but there are pockets of availability for some items. We are working hard to continue getting our products into stores.”

In addition, the company has pulled all job adverts from its website, with a message saying: “Sorry you can’t search or apply for roles right now, we’re working hard to be back online as soon as possible.”

There has been silence from M&S on what or who was behind the attack on its systems, but we now know it was a ransomware attack.

This is a type of malicious software used to scramble important data or files after gaining access to a business’ computer systems, essentially locking them away unless a ransom is paid.

Hackers often threaten to leak or sell the data to pressure a business to pay up.

A ransomware group called “DragonForce” told the BBC it was responsible for the attack on M&S, the Co-op and an attempted hack of Harrods and said there would be more attacks soon.

DragonForce operates an affiliate cyber crime service so anyone can use their malicious software and website to carry out attacks and extortions.

It’s not known who is ultimately using the DragonForce service to attack the retailers, but some security experts say the tactics seen are similar to that of a loosely coordinated group of hackers who have been called Scattered Spider or Octo Tempest.

The gang operates on Telegram and Discord channels and is English-speaking and young – in some cases only teenagers.

The National Cyber Security Centre (NCSC) has warned that criminals launching cyber attacks at British retailers are impersonating IT help desks to break into organisations.

The Metropolitan Police has confirmed it is looking into the attack.

The cyber attack has already had a significant impact on the retailer, and the longer it takes them to deal with it, the bigger the hit to its bottom line.

Its share price has fallen since the technical problems started, with more than half a billion pounds wiped off the company’s value.

Online accounts for about a third of M&S’s clothing and home sales. On average, £3.8m is spent on clothing and home products on its website and apps every day.

Faced with the website problems, it’s possible customers may have gone to an M&S store to buy something. But it’s also likely that shoppers have turned to rival online retailers instead.

The problems have coincided with a period of warmer weather, when people are likely to want to buy new summer clothes.

Catherine Shuttleworth, retail analyst at marketing firm Savvy Marketing, told the BBC the online impact would have been immediate. “Given the ‘buy it now’ culture other retailers will benefit from this opportunity.”

The revelation that some customer data was stolen is a “further blow”, she said, as so far the company had had the support of customers “but they will be very concerned that their data has been compromised”.

“M&S is one of the most trusted brands in the land and shoppers hold it to the highest standard,” she added.

One of Marks & Spencer’s biggest suppliers told the BBC it has resorted to using pen and paper for orders.

The boss of Greencore, which supplies sandwiches, rolls and wraps, says it also ramped up deliveries by a fifth to make sure there was more than enough food for the bank holiday weekend.

Thea Green, chief executive of beauty brand Nails Inc, told the BBC her company had a major launch coming up and she was nervous about it, given the problems at M&S.

“It does have an impact on us – but it’s a single-digit percentage of our business, so it’s not a major impact. But they are a very relevant UK customer,” she said.

Meanwhile, M&S has also had to manage disruption to a small proportion of products that it supplies to Ocado, which delivers M&S online food orders and which is part-owned by M&S.

While the retailer was quick to inform customers of the breach, subsequent updates have been infrequent.

Its revelation on 13 May that some customer data had been stolen by hackers marked only its fourth public statement on the hack in three weeks.

Many of its official communications have featured apologies from the company’s boss Stuart Machin but no mention of when normal business will resume.

M&S has not commented on the nature of the cyber attack, which is not unusual in cases like this, but experts say the uncertainty risks damaging consumer trust in the brand.