Marks and Spencer Group has begun notifying customers that hackers accessed some of their data in an April cyberattack, according to a trading update released Tuesday.
The British retailer said the information does not include “usable payment or card details,” which it does not store on its own systems, nor any password information.
However, customers will be prompted to reset their passwords the next time they visit M&S online or attempt to log in to their accounts, according to the update from CEO Stuart Machin. The company has shared information about how to remain safe online, according to the update.
M&S is one of three major U.K. retailers — along with the famed Harrods department store and the supermarket chain Co-op — to be targeted in a recent cyberattack spree by highly skilled hackers. The notorious cybercrime group Scattered Spider has been linked to the attack, although a separate group called DragonForce has claimed credit for the intrusions.
The attacks disrupted online purchases and impacted some store inventories.
The U.K.’s National Cyber Security Centre issued a statement earlier this month confirming that it was working with the retailers to get a better understanding of the attacks. NCSC CEO Richard Horne described the incidents as a wakeup call, and officials released guidance for how to mitigate future ransomware attacks.
In a note to customers from Jayne Wall, M&S’s operations director, the company said the stolen customer information could include basic contact details, dates of birth and online order histories.
Payment information might have been stolen, the company said, but detailed payment card data would be masked and would, therefore, be unusable. The stolen information could also include customer reference numbers for M&S credit card or Sparks Pay holders, according to a frequently asked questions page.
Customers were warned to be on alert for fraudulent calls, emails or text messages claiming to be from the retailer.
Despite the lack of actionable payments information, customers should remain vigilant about hackers potentially abusing the additional personal details, according to Matt Hull, head of threat intelligence at NCC Group.
“Despite the absence of financial data or passwords, threat actors could potentially use the stolen information to launch targeted social engineering attacks,” Hull said. “Stay vigilant for phishing messages pretending to be from M&S or other companies you’ve dealt with.”
