Marks and Spencer confirms data breach exposed sensitive customer information

British multinational retailer Marks and Spencer said the data security incident it suffered last month compromised the sensitive personal information of its customers.

 

In a data security incident notice filed with the London Stock Exchange on April 22, M&S said it suffered a significant cyber security incident and immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the same.

 

“It was necessary to make some minor, temporary changes to our store operations to protect customers and the business and we are sorry for any inconvenience experienced. Importantly, our stores remain open and our website and app are operating as normal,” reads the notice.

 

In a filing with the London Stock Exchange on May 13, M&S said its investigation has confirmed that the sensitive personal information of customers was compromised during the incident.

 

“We are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken. Importantly, the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared,” M&S said in its filing.

 

The compromised data included names, email addresses, addresses, telephone numbers, dates of birth, online order history, household information and ‘masked’ payment card details used for online purchases.

 

The retailer added that no action is required from affected customers, however, “for extra peace of mind, they will be prompted to reset their password the next time they visit or log onto their M&S account”.

 

A group of threat actors going by the name “Scattered Spider” claimed responsibility for the ransomware attack on M&S. The hacker group said it first breached M&S’s network in February, and stole the Windows domain’s NTDS.dit file.

 

Using compromised credentials, the threat actor laterally spread throughout the Windows domain, and on April 24, it compromised the retailer’s virtual servers by deploying the DragonForce encryptor to VMware ESXi hosts.