Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Marks and Spencer confirms data breach after April cyber attack

Marks and Spencer (M&S) confirms that threat actors stole customer data in the ransomware attack that hit the company in April. In April, Marks and Spencer Group plc (M&S) announced it had been managing a cyber incident in recent days with the help of external cyber security experts. Customers report outages affecting card payments, gift […]

Marks & Spencer Scattered Spider

Marks and Spencer (M&S) confirms that threat actors stole customer data in the ransomware attack that hit the company in April.

In April, Marks and Spencer Group plc (M&S) announced it had been managing a cyber incident in recent days with the help of external cyber security experts. Customers report outages affecting card payments, gift cards, and M&S’s Click and Collect service across electronic payment systems.

“Marks and Spencer Group plc (the Company, or M&S) has been managing a cyber incident over the past few days. As soon as we became aware of the incident, it was necessary to make some minor, temporary changes to our store operations to protect customers and the business and we are sorry for any inconvenience experienced. Importantly, our stores remain open and our website and app are operating as normal.” reads the Cyber Incident Update published on the London Stock Exchange.

“The Company has engaged external cyber security experts to assist with investigating and managing the incident.”

The company immediately reported the incident to the relevant data protection supervisory authorities and the National Cyber Security Centre. The company did not share technical details about the attack.

M&S is a major British multinational retailer headquartered in London. Founded in 1884, it’s best known for selling clothing and home goods and food products. It is listed on the London Stock Exchange (LSE) and is a constituent of the FTSE 100 Index.

The company operates both physical stores and online services, with a strong presence in the UK and some international markets. It’s a household name in the UK, often associated with tradition, quality, and British heritage.

The DragonForce group claimed the attack on M&S and Co-op, and told the BBC that they have attempted to hack Harrods.

BleepingComputer reported that DragonForce ransomware affiliates used Scattered Spider social engineering tactics to target Marks and Spencer. The attackers encrypted VMware ESXi virtual machines used by the company.

This week, a cyber update published by the company on its website confirmed the data breach:

“To proactively manage the incident, we immediately took steps to protect our systems and engaged leading cyber security experts. We also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with.” reads the update.

“Unfortunately, the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared. The personal data could include contact details, date of birth and online order history. However, importantly, the data does not include useable card or payment details, and it also does not include any account passwords.”

The stolen M&S data may include contact info, birthdate, order history, household data, and masked card details, but not full payment info. Some customer reference numbers from M&S credit cards or Sparks Pay may also be affected. No action is required, but customers should be cautious of potential phishing attempts, as M&S will never request personal account info.

“The personal data taken could include contact details – such as name, email address, addresses, telephone number – date of birth, online order history, household information and ‘masked’ payment card details used for online purchases. For clarity and reassurance, M&S does not hold full payment card details on its systems, which is why we use the term ‘masked’.” states the company.

“In addition, if you have or previously had an M&S credit card or Sparks Pay, your customer reference numbers, which are not your credit card number or payment details, could also be included. Importantly, the data does not include useable card or payment details.”

M&S stated there’s no evidence the data was shared or included payment info or passwords, but customers will still be prompted to reset their passwords on next login.

The company recommends being cautious with unexpected emails or texts, using strong and unique passwords for each account, keeping devices updated with the latest security patches, and visiting the UK National Cyber Security Centre website for more guidance on data breaches.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, M&S)