Marks & Spencer confirms attackers obtained customer data

Marks & Spencer (M&S) has disclosed that the cyberattack, which has disrupted its online operations since the Easter weekend, resulted in the theft of some personal information belonging to thousands of its customers. 

On Tuesday, the retailer said that customer data, including names, addresses, and order histories, had been accessed due to the "sophisticated nature of the incident," but confirmed that this did not include payment information or account passwords. 

M&S has informed customers that no immediate action is required on their part, although they will be prompted to reset their passwords upon their next login as a precautionary measure. The company did not specify the number of affected customers.

A related article in the Financial Times (£) reports that M&S has cyber insurance policies that could allow it to claim up to £100 million in losses from the recent attack. Sources indicate that primary insurer Allianz is expected to cover at least £10 million. Cyber insurance specialist Beazley is also reportedly among the insurers exposed. A senior insurance market figure anticipates that M&S's cover is likely to pay out in full and is understood to cover both direct losses, such as lost sales and incident response expenses, as well as third-party losses, including potential legal liabilities arising from the data breach. An extrapolation of the company's average daily online sales suggests that M&S may have already incurred revenue losses exceeding £60 million. In addition, the attack has caused difficulties in maintaining stock levels, likely leading to further sales reductions. 

Meanwhile, The Guardian reports that off the back of its successful hacking campaign in the UK, Scattered Spider is now targeting US retailers. 

£ - The Financial Times article requires a subscription.