M&S Confirms Customer Data Was Stolen in Ransomware Attack

Marks & Spencer has confirmed that personal customer data was stolen in the recent cyberattack that disrupted its services for weeks. The breach exposed names, addresses, phone numbers, and order histories. While account passwords and full card details were not compromised, the retailer urged customers to reset their passwords “for extra peace of mind.”

According to BBC News, the breach affects users of M&S’s online services. While some services remain operational, the retailer’s website and app are only partially accessible, and fulfillment systems continue to face delays.

The data breach is the latest development in an incident that began over Easter weekend, when customers reported failures in contactless payments and Click & Collect services. At the time, M&S described the situation as a “cyber incident” and said it had made “operational changes to protect [customers] and the business,” as cited in the report by TechCrunch. A company spokesperson declined to elaborate, but reports of outages and delays persisted across stores and digital platforms.

The Record confirmed that M&S was contacting customers directly to notify them of the breach. “There is no evidence that this data has been shared,” the retailer stated, though security experts warn the threat of data resale or identity fraud remains. The incident has already caused significant operational damage. The retailer is losing approximately £43 million per week in sales due to the disruption, with no set date for when online ordering will resume.

The attack has been linked to the DragonForce ransomware group, which has also targeted Harrods and the Co-op. Known for “double extortion” tactics — encrypting data while stealing a copy to pressure victims into paying — DragonForce has been under close scrutiny. The National Cyber Security Centre confirmed it is working with affected organizations but said it couldn’t yet confirm if the attacks were coordinated. British intelligence services are investigating whether DragonForce acted alone or as part of a broader campaign.

We reported that the incident showed hallmarks of ransomware, with experts already suspecting DragonForce’s involvement. At the time, M&S’s systems were experiencing widespread disruption, prompting cyber expert Ciaran Martin to call it “a pretty bad episode of ransomware” and a “very difficult one for them to deal with.”

Although in-store operations have resumed, M&S’s logistical and digital infrastructure remains under strain. Laminated signs citing “technical issues” have become a common sight, and customer frustration is mounting. Cybersecurity analysts, however, caution against premature conclusions. “If the attackers hold on to the data and release it later, M&S could face further reputational and legal fallout,” said Matt Hull, head of threat intelligence at NCC Group, in the BBC report.

As of now, the DragonForce group has not publicly claimed responsibility for the attack, but the pattern aligns with other incidents linked to the group. M&S has notified regulators and continues to work with external cybersecurity experts to contain the threat. While the company insists that “there is no need for customers to take action,” it still urges vigilance.