Marks & Spencer recently confirmed a serious data breach following a cyber attack carried out by the ransomware group DragonForce. The attack led to the theft of sensitive customer information. With online orders only just resuming and projected losses of £300m, the incident highlights just how vulnerable even the UK’s most trusted retailers can be.
We’ve summarised the key facts from the BBC’s coverage below. Read the full article here: BBC News – M&S Cyber Attack
This April, M&S suffered a cyber attack orchestrated by the ransomware group, DragonForce. According to M&S’ CEO, Stuart Machin, the hacker used social engineering to trick an employee into disclosing passwords and login access, which ultimately allowed the hacker to access their customer’s personal data.
M&S confirmed that the stolen data included customer names, telephone numbers, home addresses, and dates of birth. Although access to card details and account passwords were avoided, the level of contact information stolen puts their customers at risk of identity fraud and makes them susceptible to convincing scams.
DragonForce is a ransomware group that offers its services to a number of cyber-criminals in exchange for 20% of the ransom collected. It is not yet clear who instructed DragonForce to carry out the attack, but there has been speculation that Scatter Spider, the hackers behind the Harrods cyber attack, may be involved.
In response to the attack, M&S emailed all website users to inform them of the breach, reported the breach to the relevant authorities and began working with cyber security experts to monitor and mitigate any further developments.
Customers were also advised by M&S to reset their account passwords "for extra peace of mind" and to remain vigilant against fraudulent emails, calls and texts from scammers posing as M&S.
After more than six weeks, M&S has returned to taking online orders, which had been suspended following the attack. Customers are now able to order clothing and footwear, with beauty and homeware products expected to be available for home delivery in the next few days. Click and Collect services should also resume in the coming weeks.
M&S estimates that this attack will reduce its profits for the year by £300m. While customers appear to be showing support and sympathy for the retailer, M&S has obviously also faced significant reputational damage as a result of the event.
If this cyber attack has prompted you to reconsider whether your business is in compliance with the data protection regime, or if you have any queries regarding the legal requirements following a cyber attack, please feel free to contact a member of our Data Protection and Privacy team on +44 (0)203 987 0222 or email info@ilaw.co.uk.
