M&S customers urged to ‘stay vigilant’ for fraud after data breach confirmed

Marks and Spencer customers have been urged to “stay vigilant” for scams and fraud after the retailer confirmed some personal data had been stolen in a cyber attack on the firm.

M&S said on Tuesday that data that could have been accessed includes names, email addresses, postal addresses and dates of birth, but stressed the data does not include payment or card details, or account passwords and is not believed to have been shared online.

Cyber security experts have now urged potentially impacted customers to be wary of phishing attempts – where criminals pose as official businesses in an effort to get personal and financial information from victims.

Matt Hull, head of threat intelligence at cyber security firm NCC Group, said: “Despite the absence of financial data or passwords, threat actors could potentially use the stolen information to launch targeted social engineering attacks.

“Stay vigilant for phishing messages pretending to be from M&S or other companies you’ve dealt with. These attackers might use the leaked M&S information to craft very convincing scams.

“Cyber criminals are also likely to sell this data on the dark web as well, putting customers at even more risk.

“If you’re unsure about an email’s authenticity, don’t click any links. Instead, visit the company’s website directly to verify any claims. This extra step can protect you from falling victim to phishing attacks.”

Sam Kirkman, director of services for Europe, the Middle East and Africa at cyber security firm NetSPI, said M&S customers should also be aware of identify fraud in breaches such as this.

“The personal information stolen in this breach would significantly increase the risk of identity fraud if it is released publicly or shared with other criminals,” he said.

“It is therefore vital that potential victims monitor their credit scores to ensure financial products are not taken out in their name, without their consent.

“It is also important to remain alert to scams which may leverage this information toward you or your family members to appear more legitimate. For example, some criminals may impersonate a well-known organisation and convince victims of their credibility by providing their name, address and date of birth – before using this false credibility to scam the victim out of their money.”

William Wright, chief executive of Closed Door Security, said the “best advice” for M&S customers in the wake of the incident was to be “highly cautious” of all email correspondence in relation to the attack, as this was likely how criminals would likely target people.

“Don’t send personal information over email, treat phone calls relating to the breach with caution, and if an email does come in requesting information, don’t hit reply, instead, contact M&S via the email address on its genuine website to verify its validity,” he said.

Chris Burton, head of professional services at Pentest People, also encouraged people to more broadly sure up their online security.

“The first piece of advice I would provide is to change your password at the earliest opportunity, ensure it’s complex and do not ‘password share’ with any other logins you may have,” he said.

“This should also be enabled if the online retailer supports multi-factor authentication (MFA). If you are to configure MFA, I’d avoid using SMS based tokens; use an authenticator app.

“If an online retailer has enabled Passkeys, you can use a password manager to generate a passkey which essentially makes your account ‘passwordless’ – the passkey is a unique ‘key’ which is used to validate the user, it doesn’t require any keying of passwords and won’t store a password that could be potentially harvested.

“I would always discourage from saving your payment methods with providers; this is a common feature, and although there are security precautions in place with these types of things, I’d personally sooner not run the risk.

“Keep an eye on your personal information and things like credit files. If your personal details are harvested from a compromised source, there is the opportunity for impersonation. You may get an increase in spam calls claiming to be from various companies such as Amazon or other high-end retailers.”