M&S has confirmed that some customer data, including names, addresses and order histories, had been taken during the cyber attack which has caused ongoing disruption to its operation for over three weeks.

The cyber incident, which has been linked to cyber crime group Scattered Spider, was first reported over the Easter weekend. It has since caused M&S to shut down online operations and created some product availability issues in-store after the retailer was forced to close off some of its IT systems.

No passwords or “usable” card or payment data stolen

M&S was quick to state that no “usable” payment or card details or account passwords had been stolen by the hackers, and that customer data didn’t have appeared to have been shared. However, it urged customers to reset their passwords as a precaution for “extra piece of mind.”

Commenting in The Guardian, a spokesperson for the retailer said that “due to the sophisticated nature of the incident, some personal customer data has been taken.”

“Importantly, the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared.”

With online suspended, M&S faces a £30million profit hit

With online orders still suspended and an estimated one third of its clothing and home sales coming from its ecommerce channel, M&S faces a significant financial hit as it misses out on seasonal sales as the UK experiences warmer weather; last month Barclays said consumer card spending rose +4.5% compared to 2024, buoyed by the sunniest April on record.

Deutsche Bank analysts told Reuters that so far the profit hit to M&S could be in the region of £30million, and, while cyber insurance would likely cover most of the impact, cover is usually only provided for a limited time.