The company has been badly impacted by a cyber attack (Picture: Shutterstock)

Marks and Spencer has said that some customer data was stolen by hackers,after they launched a devastating cyber attack that is still affecting shoppers.

In their latest update this morning,they said ‘some customer information has been taken’,however said this did not include ‘useable card or payment details or account passwords,so there is no need for customers to take any action’.

Users would be prompted to change their passwords nevertheless,to give them ‘extra peace of mind’.

But a cyber expert said that even if passwords were not taken,the data – whch could include dates of birth and order histories – could still help criminals craft personalised attacks and scams,putting customers at risk.

In the message,chief executive Stuart Machin said: ‘Everyone at M&S is working around the clock to get things back to normal for our customers as quickly as possible,and we are very sorry for any inconvenience they have experienced. Our stores remain open as they have throughout.’

A message shared on Instagram by M&S this morning (Picture: Instagram)

The high street chain did not say how many customers had been affected.

Joe Jones,the founder of cybersecurity app Pistachio,said: ‘While no passwords or payment data were taken,the exposed personal details – names,contact information,dates of birth,and order histories – will likely be used or sold on the dark web to aid social engineering attacks.

‘With this kind of context,attackers can craft convincing,tailored scams that appear legitimate,from fake delivery updates to bogus account notifications. We often see this kind of breach followed by a wave of personalised phishing attempts. Anyone with an M&S account should be extra cautious and stay alert for emails or texts claiming to be from the retailer.’

Marijus Briedis,Chief Technology Officer at NordVPN,also warned: ‘M&S sounds overly optimistic in their advice,saying that there is no evidence any customer data has been shared beyond the hackers,and that financial information was not leaked.

‘However,even if passwords or payment details weren’t exposed,contact information and dates of birth are still highly valuable to cybercriminals. This type of data can be used in phishing campaigns or combined with other leaked information to commit identity theft.

‘Consumers often underestimate how damaging ‘harmless’ data like order history or email addresses can be in the wrong hands. These M&S hackers could use this data to build highly personalised phishing emails,designed to look identical to what the retailer would send,and these are much harder to spot.’

Timeline of the cyber attack on Marks and Spencer

February 2025: Initial breach?

The exact date of the initial breach has not been confirmed,but cybersecurity experts believe attackers could have infiltrated M&S’s systems as early as February. Before causing any disruption,they could have laid low,ensuring they first had deep access to the company’s internal network.Saturday,April 19: First problems reported

Customers began reporting issues with contactless payments and Click & Collect services across M&S stores over the Easter weekend. At the time,these were thought to be routine technical glitches.Monday,April 21: Cyber incident confirmed

M&S publicly acknowledged a ‘cyber incident’ and began taking internal systems offline to contain the breach. This marked the first official confirmation of a serious issue,with a statement to the stock exchange.  Wednesday,April 23: Click and Collect and Contactless disruption

Customers were told they could no longer use the Click and Collect service,while contactless payments were also suspended. A message to customers apologised for the ‘changes which may inconvenience you’.Friday,April 25: Online orders suspended

M&S suspended all online orders via its website and mobile apps,with customers only able to browse products online. Service has still not yet been resortedTuesday,May 13: Marks confirms customer data stolen

A message to customers acknowledged that personal data had been accessed by hackers,although the company said this did not include usable payment details or passwords.Shoppers are still unable to buy M&S products online via their website or app due to the cyber attack,while shops have also been hit with empty shelves.The retailer first blocked online orders on April 25,meaning this is now the third week where a major part of their sales is completely out of action.A customer service rep wrote on Instagram yesterday: ‘At the moment,we can’t confirm when we’ll be taking orders again on the website. However,we’re working very hard to get operations back online as soon as possible. Our stores remain open as usual and we’re looking forward to welcoming you.’The incident first caused problems for the retailer’s contactless payments and click and collect orders,while it has also impacted some availability in stores.Marks and Spencer has not been the only major brand affected by a cyber attrack in recent weeks.Harrods was hit,with upmarket shoppers warned that the company had ‘restricted internet access’,leaving some unable to pay.Meanwhile,hackers are also thought to have accessed the personal details of shoppers at Co-op.They claimed to have obtained data related to 20 million customers who signed up to the supermarket’s membership scheme,a number which the company has neither confirmed nor disputed.