Marks & Spencer has notified the Irish Data Protection Commission that some of its Irish customers’ data may have been stolen in a recent cyber attack on the British retail group.
The high street giant fell prey to hackers in late April, forcing it to stop accepting orders online for a time and leading to chaos across its network of stores.
On Tuesday, the retailer wrote to all of its customers for whom it had email addresses, including some in Ireland, informing them that personal customer data had been taken in the attack.
In the letter, Marks & Spencer (M&S) said there is no evidence that the stolen information has been shared and that the data does not include sensitive details such as card payment details or passwords.
“The personal data could include contact details, date of birth and online order history,” it said.
The retailer is warning customers to be wary of any calls, texts or emails claiming to be from M & S and underlining that it will never ask users to provide the group with personal account information such as usernames and passwords.
[ Marks & Spencer apologises to customers over ‘cyber incident’Opens in new window ]
M&S, which declined to comment, has notified the Irish Data Protection Commission (DPC) of the attack, which suggests some customers in the Republic could have been affected.
The scale of the impact is not yet clear.
A spokesman for the DPC said the watchdog has received a notification from M&S relating to the April attack and data breach, and it is engaging with the retailer.
In the letter, M&S apologised to customers for the incident and said it took steps “immediately” after the attack to protect its systems.
The retail giant’s share price has slumped by more than 11 per cent in the weeks after the attack, initially wiping almost £700 million (€832 million) off its valuation in the week or so after the incident.
Cybersecurity experts suspect M&S fell prey to a ransomware attack, a type of attack in which criminals steal data or lock the victim out of their own systems in exchange for money.
[ Cyber attacks flourish in an era of security fatigueOpens in new window ]
In the aftermath, M&S stopped accepting contactless payments and shut down online orders, and its website is still not working for transactions.
A cybercrime gang has taken credit for a disruptive campaign of attacks on UK retailers in recent months, with the Co-op Group and luxury department store Harrods also targeted.
A spokesperson for the gang, known as “DragonForce,” told Bloomberg News that it carried out the attacks with partners to extort money from victims.
M&S’s Irish unit generated operating profits of £27.9 million (€32.8 million) in the year to the end of March 2024 on revenues of £320.7 million.
The group will report full-year results for its 2024/2025 financial year next week.
