Marks & Spencer has admitted that customers’ personal data has been stolen during the ongoing cyber attack on its systems.

After days of speculation, it revealed the breach in an email update to shoppers, that was also posted on Facebook.

The attack was launched just before the Easter weekend - at which point click and collect orders did not work and some contactless payments would not go through, and since then, customers have not been able to place online orders. Last year online orders for home and clothing came to about £30m a day for the retail giant.

While contactless instore payments were restored, the firm’s logistics operation has been disrupted, meaning that several stores have seen empty shelves.

What personal data has been stolen in the Marks & Spencer cyber attack?

Chief executive Stuart Machin said the data had been accessed due to the “sophisticated nature of the incident”. Personal data that could have been accessed includes names, email addresses, postal addresses and dates of birth, according to M&S.

But the group stressed the data does not include payment or card details, or account passwords and is not believed to have been shared online.

How many people are affected by the M&S data breach?

The high street chain did not say how many shoppers had been affected but has emailed all website customers to alert them about the data breach. It had 9.4 million active online customers in the year to March 30, according to its last full-year results.

What should M&S shoppers do?

Mr Machin told shoppers there is “no need for customers to take any action”.

In a social media post, Mr Machin said: “We have written to customers today to let them know that unfortunately, some personal customer information has been taken. Importantly there is no evidence that the information has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.

“To give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log on to their M&S account and we have shared information on how to stay safe online.”

But Charlotte Wilson, head of enterprise at Check Point Software, added: “Customers should not assume there is nothing to worry about. Even if payment data or passwords were not taken, the personal information that was, such as email addresses, phone numbers, and home addresses, can still be exploited by cybercriminals.

“This type of data is protected for a reason. It can be used to create convincing scams that feel personal and trustworthy. We often see a spike in phishing emails, fake delivery texts, and scam calls after breaches like this, particularly when order history or usernames are involved.

“Attackers may also try to reset passwords or access other platforms by testing reused login credentials. If their phone numbers have been accessed, people should be alert to smishing and vishing attempts. The simple truth is, if you are unsure, do not click. I have seen the 'free tea in M&S' scam emails myself, and they will get clicked on by the most unsuspecting. Sadly, this quickly shifts from being a corporate hack to something that impacts everyday people.

“This is not about panic, but it is a reminder that cybersecurity is not just about technology. It requires everyday awareness. Avoid unexpected links, treat unsolicited messages with caution, and turn on two-factor authentication wherever possible.”

Dray Agha, senior manager of security operations at Huntress, said, “People should watch out for fake messages, as scammers may try to exploit the breach with emails or texts pretending to be from M&S. If you're asked for login details or personal info don’t reply, and don’t click suspicious links.”

Who is behind the cyber attack?

A group known as Scattered Spider has been linked to the attack, according to reports. On May 2, the Information Commissioner’s Office said it was also looking into the attack, as well as a similar major incident involving the Co-op.

Luxury department store Harrods also confirmed earlier this month it had been affected by an attempted hack and had temporarily restricted internet access across its sites as a precautionary measure. The National Crime Agency has said it is investigating the attacks individually but is “mindful they may be linked”.

How long will the M&S cyber attack last?

Zain Javed, the CTO at Citation Cyber says it can take up to three years to recover from a cyber attack.

He said: “When a retailer is hit by a cyberattack, particularly ransomware, isolating the affected systems is essential to contain the threat. M&S and Co-op’s decision to halt online purchases are precautionary steps aimed at preventing further damage and protecting customer data.

“These companies are likely conducting deep forensic investigations, cleaning their systems, restoring from backups, and testing everything rigorously before resuming normal operations. Depending on the scale and complexity of the breach, this process can take weeks or even months. The average time to identify and contain a data breach is 258 days according to IBM’s 2024 cost of a data breach report. It can take as long as 3 years to fully recover from a cyber attack in some cases with significant increase in costs to put things right and ensure they don't happen again.

“Retailers can’t afford to rush this phase, as any premature reopening risks reinfection or additional breaches. The downtime reflects the seriousness with which these companies are treating the incident and the lengths they must go to in order to safeguard their customers and brand reputation.”

What are the dangers of personal data being stolen?

Kev Eley, the vice president for UKI at Exabeam, said that the recent attacks should be seen as a “no longer a series of isolated incidents, but a broader industry-wide concern”.

“What makes these attacks especially concerning is the potential risk to customer data, with the personal data of 20 million customers reported to be compromised during the Co-op attack,” he added. “Retailers are responsible for huge amounts of personal information, from contact and payment details to account passwords. These cyberattacks pose a direct risk to customers and if attackers access this data, it can be used for identity theft, financial fraud, or sold on the dark web. With the National Cyber Security Centre (NCSC) now warning against fraudulent IT calls after the hacks, there’s a growing concern that even wider repercussions will be felt.”