Marks & Spencer has issued a major update in the wake of the cyber attack that crippled the high street giant – and cost it more than a £1billion.
The retailer, which was left reeling from the devastating hack, has today warned contact details and dates of births from some customers have been stolen.
And M&S said other personal details were also pilfered by cyber crooks, including customers’ order histories.
However, bosses at the chain have insisted no data relating to shoppers’ payment or card details, or account passwords, had been taken.
It’s unclear how many shoppers have been affected by the data breach.
Stuart Machin, M&S chief executive, said the firm was writing to customers to inform them that ‘unfortunately, some personal customer information has been taken’.
‘Importantly, there is not evidence that the information has been shared,’ he said, adding: ‘Everyone at M&S is working around the clock to get things back to normal for our customers as quickly as possible, and we are very sorry for any inconvenience they have experienced.’
It’s believed M&S could take ‘months’ to recover from the hack over the Easter weekend, which wiped a staggering £1billion off the retailer’s market value.
The hack has cause mayhem for Marks & Spencer meaning it was unable to process online orders. The retailer has now warned some customers’ personal details have been stolen
Pictured is the full letter from M&S’ chief executive Stuart Machin outlining the data breach
British teenagers have been linked to the notorious Scattered Spider hacking group responsible for the cyber attack that continues to cripple Marks & Spencer’s
M&S shares tumbled another 4.7 per cent – meaning the High Street retailer has shed over 12 per cent of its value or £1.05billion since the hack at Easter.
That left M&S with a market capitalisation of £7.4billion.
The latest slump in the share price came as analysts at Deutsche Bank estimated the crisis is costing it £15million in lost profits a week – with a total hit of £30million so far.
Scotland Yard detectives are probing M&S’ devastating IT meltdown, which is thought to have been the work of teenage hackers.
The gang also admitted to later carrying out an attack on Co-op, saying ‘personal data such as names and contact details’ had been taken from its membership scheme.
Last week, cybercrime group DragonForce claimed responsibility for the ongoing crisis that caused the retail giant to pause its click and collect service.
DragonForce, who say their job is ‘not to destroy’, but ‘just take some money and walk away’ claimed more than 90 victims last year and targeted companies across various industries.
But now, new motives and allegiances have come to light after the group appeared to use a dark web forum threatening to ‘punish any violations’ by other hackers planning to use its ransomware in Russia or the former Soviet states.
M&S have faced stock issues following the cyber attack which has left many of their shelves empty
More bare fridge shelves inside an M&S supermarket following the cyber attack which crippled the chain
A statement which claimed to be from the group, released at the end of last month, read: ‘Any attack by our software on critical infrastructure, hospitals where patients, children, and the elderly are kept, or on the countries of the former Soviet Union, is a PROVOCATION [sic] by unscrupulous partners.’
It added: ‘We, as regulators, are doing our best to counteract this, and we will punish any violations, as well as assist in solving the problems of the affected parties.’
The recent attacks have also been linked to the notorious English-speaking teenage hacking gang, Scattered Spider.
The collective of cyber crooks is made up of around 1,000 teenagers and young men across the UK and the US and has been blamed for cyber attacks on other major companies.
Scattered Spider uses the hacking tools developed by the Russia-linked group known as BlackCat and ALPHV, a possible indication of a business partnership between the groups to share in ransom payments.
However, Investigators believe the attackers on this occasion used a hacking tool from DragonForce, which bills itself as a ‘ransomware cartel’, to carry out the breach.
The gang has previously been linked with major hacks that incapacitated casino giants MGM Resorts International and Caesers Entertainment.
M&S has not been able to take any orders through its website or app since April 25 as it tries to resolve the problem.
The incident first caused problems for the retailer’s contactless payments and click and collect orders, while it has also impacted some availability in stores.
In an email to customers, M&S operations director Jayne Wall said: ‘You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious.
Pictured is the email M&S customers received following claims some shoppers’ personal details had been taken by cyber crooks during last month’s hack on the retailer
‘Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.’
The alleged British ringleader of Scattered Spider, Tyler Buchanan, was arrested arrested in Spain last summer, having travelled from London to Barcelona and then on to Palma, Mallorca.
The 23-year-old from Dundee, Scotland, was about to fly to Naples when he was caught by cops at the airport and found to be in control of a cryptocurrency wallet totalling more than $26 million (£20 million) in Bitcoin.
Buchanan was then extradited to the US on April 23 on charges of conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.
The hacking group is alleged to have targeted employees of companies across the US with phishing text messages and then used the harvested employee credentials to log in and steal non-public company data and information and to hack into virtual currency accounts to steal millions of dollars in cryptocurrency.
Tyler Buchanan, who has been extradited to the US to face charges relating to his role in Scattered Spider, pictured in 2016
Buchanan being arrested by Spanish police after he fled to Mallorca following an alleged raid on his mother’s home by a rival cyber crime cartel
Deemed a flight risk, Buchanan was denied bail when he appeared in court in California.
Last week it was reported Buchanan allegedly went on the run after a masked group descended on his mother’s home in Dundee, Scotland.
The crooks were reportedly armed with lit blowtorches and were demanding the passwords for his cryptocurrency accounts.
A neighbour said they had not seen him since the alleged raid on his home in February 2023.
They told The Sun a car turned up and four or five males ‘piled out’ before entering the house and threatening to burn Buchanan with a blowtorch if he refused to give them the information.
According to reports on encrypted messaging app Telegram, which Buchanan was known to frequent under the username ‘Tylerb’, a rival cyber gang hired the men to invade his home.
The same accounts claimed that his mother was assaulted by the intruders.
