Irish customers have been contacted by Marks and Spencer to let them know that personal customer data has been taken as part of the ongoing “cyber incident” that the retailer is grappling with.
Asked by Gript to confirm whether customers in the Republic of Ireland have been affected by the breach, a spokesperson said that “out of an abundance of caution, we have written to all our customers that we have an email address for,” adding that “this includes Irish customers”.
According to the British retailer, there is no evidence that the compromised data has been shared, adding that it does not include “useable card or payment details, or account passwords”, and so there is no need for customers to take any action.
“To give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log onto their M&S.com account on our website or app, and we have shared information on how to stay safe online,” the statement reads.
The cyberattacks began in late April, with Reuters reporting that hackers impersonated employees while contacting the company’s IT help desks in order to gain access to the network.
The ruse was successful, with the hackers able to convince the technicians to reset the impersonated employees’ passwords, granting them access.
First sounding the alarm about the incident April 22, three days later the retailer was forced to pause clothing and home orders through its online stores.
Reuters reports analysts at Deutsche Bank as estimating a profit hit of about 30 million pounds to May 6, and an additional 15 million pounds a week from then on.
According to M&S, they are working with cyber security experts, government authorities and law enforcement in an effort to bring the situation back under control.
A cybercrime gang, DragonForce, has reportedly claimed credit for the attack, a spokesperson saying that the intention was to extort money from those companies affected.
On the M&S website, concerned customers are told that the compromised data could include contact details (name, email address, addresses, telephone number), as well as date of birth, online order history, household information and “masked” payment card details used for online purchases.
“For clarity and reassurance, M&S does not hold full payment card details on its systems, which is why we use the term ‘masked’,” the retailer said.
While customers are not required to take action, M&S warns that they may receive emails, calls or texts claiming to be from M&S when they are not.
“We will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password,” the statement says.
Loading ...