M&S says customer data stolen in cyber attack

London — High street retailer Marks & Spencer (M&S) has confirmed that a recent cyber attack led to the theft of some personal customer data, including names, contact information, and dates of birth.

The company revealed that while sensitive details such as account passwords and full payment card information remain secure, hackers did gain access to customers’ order histories, email addresses, home addresses, and telephone numbers. The breach also included household information linked to customer accounts.

M&S, which was first hit by the attack on April 25, is still struggling to restore full functionality. Online ordering remains suspended, and some services continue to face disruption. In response, the company is urging customers to reset their account passwords as a precautionary measure.

Chief Executive Stuart Machin announced that affected customers would be contacted directly. “Unfortunately, some personal customer information has been taken,” Machin confirmed in a statement on Tuesday. “Importantly, there is no evidence that the information has been shared.”

In an email to customers, M&S Operations Director Jayne Wall reassured recipients that no immediate action is necessary but warned to remain vigilant against potential scams. “You might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious,” she said. “We will never contact you asking for personal account information or passwords.”

The cyber attack initially affected in-store payments before spreading to other systems across the company. M&S says it is “working around the clock” to fully recover and protect customers.

The company reiterated that even if some card information was accessed, it would be unusable since M&S does not store full payment details on its systems.

Customers are advised to monitor their accounts closely and report any suspicious activity.