M&S Cyberattack Raises Security Concerns

London, UK – British retail giant Marks & Spencer has confirmed that customer data was accessed in a sophisticated cyberattack, raising fresh concerns over cybersecurity vulnerabilities in the retail sector. The company said that while sensitive payment information remains secure, other personal details have likely been compromised.

In a statement issued by CEO Stuart Machin, M&S acknowledged that hackers penetrated its systems, though he emphasized that no "usable payment or card details" were exposed, as such data is not stored within the company’s internal infrastructure. The firm also reported no evidence of leaked account passwords.

“To offer added reassurance, customers will be prompted to reset their passwords during their next login,” Machin stated. “We’ve also shared guidance on how to stay safe online.”

M&S, which had 9.4 million active online users as of March 30, has not disclosed how many customers were directly affected. Despite the reassurances, cybersecurity experts warn that the accessed information—such as names, email addresses, phone numbers, and potentially order histories—could still put customers at risk.

Tim Grieveson, Chief Security Officer at ThingsRecon, explained: “Even without card numbers, attackers can exploit exposed data to craft convincing phishing emails or scam messages that appear highly legitimate.”

Charlotte Wilson, Head of Enterprise at Check Point, echoed this concern: “Just because card details weren’t stolen doesn’t mean there’s no threat. We often see a surge in fraudulent messages and calls after breaches of this nature. Customers should be on high alert—not panicked, but cautious.”

Ongoing Disruption and Internal Chaos

The breach, reportedly carried out by the hacking group Scattered Spider, has caused widespread disruption across the M&S network. The attack was first detected on Easter Monday, leading to a recruitment freeze, online shopping outages, and product shortages across UK stores.

Agency staff at key distribution centres were told to stay home, and insiders say the company has been in disarray ever since. One employee, speaking anonymously to Sky News, described the atmosphere at M&S headquarters as "pure chaos," revealing the company had no formal business continuity or cyber incident response plan in place.

“People have been sleeping in the office,” the insider said. “There’s been a lot of stress and exhaustion. The response has been completely reactive.”

Retail Sector Under Fire

Marks & Spencer isn’t alone in facing cyber threats. The Co-op recently apologized after a breach exposed data from a significant number of current and former members. In the same week, luxury retailer Harrods temporarily limited internet access at its locations following an attempted attack.

The UK’s National Crime Agency has launched investigations into each incident but says it is considering the possibility of coordinated efforts.

As investigations continue and companies scramble to contain the fallout, experts are urging the public to practice digital vigilance—question unsolicited messages, avoid suspicious links, and activate two-factor authentication wherever possible.