M&S customers urged to ‘stay vigilant’ for fraud after data breach confirmed

13 May 2025, 12:04

Marks and Spencer cyber attack
Marks and Spencer cyber attack. Picture: PA

The retailer has confirmed that the cyber attack which began at Easter has seen some customer data stolen.

Marks and Spencer customers have been urged to “stay vigilant” for scams and fraud after the retailer confirmed some personal data had been stolen in a cyber attack on the firm.

M&S said on Tuesday that data that could have been accessed includes names, email addresses, postal addresses and dates of birth, but stressed the data does not include payment or card details, or account passwords and is not believed to have been shared online.

Cyber security experts have now urged potentially impacted customers to be wary of phishing attempts – where criminals pose as official businesses in an effort to get personal and financial information from victims.

Matt Hull, head of threat intelligence at cyber security firm NCC Group, said: “Despite the absence of financial data or passwords, threat actors could potentially use the stolen information to launch targeted social engineering attacks.

“Stay vigilant for phishing messages pretending to be from M&S or other companies you’ve dealt with. These attackers might use the leaked M&S information to craft very convincing scams.

“Cyber criminals are also likely to sell this data on the dark web as well, putting customers at even more risk.

“If you’re unsure about an email’s authenticity, don’t click any links. Instead, visit the company’s website directly to verify any claims. This extra step can protect you from falling victim to phishing attacks.”

Sam Kirkman, director of services for Europe, the Middle East and Africa at cyber security firm NetSPI, said M&S customers should also be aware of identify fraud in breaches such as this.

“The personal information stolen in this breach would significantly increase the risk of identity fraud if it is released publicly or shared with other criminals,” he said.

“It is therefore vital that potential victims monitor their credit scores to ensure financial products are not taken out in their name, without their consent.

“It is also important to remain alert to scams which may leverage this information toward you or your family members to appear more legitimate. For example, some criminals may impersonate a well-known organisation and convince victims of their credibility by providing their name, address and date of birth – before using this false credibility to scam the victim out of their money.”

William Wright, chief executive of Closed Door Security, said the “best advice” for M&S customers in the wake of the incident was to be “highly cautious” of all email correspondence in relation to the attack, as this was likely how criminals would likely target people.

“Don’t send personal information over email, treat phone calls relating to the breach with caution, and if an email does come in requesting information, don’t hit reply, instead, contact M&S via the email address on its genuine website to verify its validity,” he said.

Chris Burton, head of professional services at Pentest People, also encouraged people to more broadly sure up their online security.

“The first piece of advice I would provide is to change your password at the earliest opportunity, ensure it’s complex and do not ‘password share’ with any other logins you may have,” he said.

“This should also be enabled if the online retailer supports multi-factor authentication (MFA). If you are to configure MFA, I’d avoid using SMS based tokens; use an authenticator app.

“If an online retailer has enabled Passkeys, you can use a password manager to generate a passkey which essentially makes your account ‘passwordless’ – the passkey is a unique ‘key’ which is used to validate the user, it doesn’t require any keying of passwords and won’t store a password that could be potentially harvested.

“I would always discourage from saving your payment methods with providers; this is a common feature, and although there are security precautions in place with these types of things, I’d personally sooner not run the risk.

“Keep an eye on your personal information and things like credit files. If your personal details are harvested from a compromised source, there is the opportunity for impersonation. You may get an increase in spam calls claiming to be from various companies such as Amazon or other high-end retailers.”

By Press Association

More Technology News

See more More Technology News

Experts have warned about the risks posed by period tracking apps (Alamy/PA)

Experts warn of risks linked to period tracker apps

Data (Use and Access) Bill

Lords’ objections to Data Bill over copyright threatens its existence – minister

A primary school teacher looking stressed next to piles of classroom books

Pupils could gain more face-to-face time with teachers under AI plans

A self-driving Uber equipped with cameras and sensors drives the streets of Washington, DC

Uber to launch self-driving taxis in London next spring

Social media app icons displayed on an Apple iPhone

Social media giants can ‘get on’ and tackle fraud cases, says City watchdog

Science and Technology Secretary Peter Kyle

Investments in UK tech sector will create hundreds of jobs, says Government

Rachel Reeves, left, wearing a lab coat and putting on some disposable gloves with Peter Kyle, both standing next to a microscope

Rachel Reeves to announce £86bn for science and technology in spending review

View of the Alphawave Semi logo is seen displayed on a smartphone screen

Alphawave agrees £1.8bn takeover by America’s Qualcomm

The TikTok logo displayed on a phone

TikTok creating more than 500 new British jobs as UK users top 30 million

Starmer visit to London Tech Week conference

Sir Keir Starmer vows to overcome sceptical public on ‘harnessing power’ of AI

A sign for the Post Office

More than £1 billion paid to those wronged by Horizon scandal, Government says

One in three employers believe AI will boost productivity

‘Significant challenges’ in use of AI within UK screen sector

Students use laptop computers to study in class

AI skills drive in schools to ‘put power in hands of next generation’ – Starmer

Australia will ban social media for under-16s.

Children could face 'two-hour social media limit' under new Government proposal

Peter Kyle

Minister says AI ‘does lie’ but defends Government amid copyright row

Ian Russell

Molly Russell’s father urges PM to act over online harms as ‘app cap’ considered