Shorouk Express
Get the free Morning Headlines email for news from our reporters across the world
Sign up to our free Morning Headlines email
Sign up to our free Morning Headlines email
Cyber security experts have urged Marks & Spencer customers to “stay vigilant” for scams and fraud after the retailer confirmed some personal data had been stolen in a cyber attack.
M&S assured customers on Tuesday that while some data, including names, email addresses, postal addresses and dates of birth, may have been accessed, no payment information, card details, account passwords, or other sensitive data were compromised.
The stolen data is also not believed to have been shared online.
Experts say potentially affected customers should still be particularly wary of phishing scams, where criminals pose as official businesses in an effort to get personal and financial information from their victims.
Matt Hull, head of threat intelligence at cyber security firm NCC Group, said that despite the attackers not having accessed financial data or passwords, “threat actors could potentially use the stolen information to launch targeted social engineering attacks”.
He added: “Stay vigilant for phishing messages pretending to be from M&S or other companies you’ve dealt with. These attackers might use the leaked M&S information to craft very convincing scams.
“Cyber criminals are likely to sell this data on the dark web as well, putting customers at even more risk.
“If you’re unsure about an email’s authenticity, don’t click any links. Instead, visit the company’s website directly to verify any claims. This extra step can protect you from falling victim to phishing attacks.”
open image in gallery
Sam Kirkman, director of services for Europe, the Middle East and Africa at cyber security firm NetSPI, said M&S customers should also be aware of identity fraud following breaches such as this.
“The personal information stolen in this breach would significantly increase the risk of identity fraud if it is released publicly or shared with other criminals,” he said. “It is therefore vital that potential victims monitor their credit scores to ensure financial products are not taken out in their name, without their consent.
“It is also important to remain alert to scams that may leverage this information toward you or your family members [in order] to appear more legitimate. For example, some criminals may impersonate a well-known organisation and convince victims of their credibility by providing their name, address and date of birth – before using this false credibility to scam the victim out of their money.”
William Wright, chief executive of Closed Door Security, said the “best advice” for M&S customers in the wake of the incident is to be “highly cautious” of all email correspondence in relation to the attack, as this is how criminals are most likely to target people.
“Don’t send personal information over email, treat phone calls relating to the breach with caution, and if an email does come in requesting information, don’t hit reply – instead, contact M&S via the email address on its genuine website to verify its validity,” he said.
open image in gallery
Chris Burton, head of professional services at Pentest People, also encouraged people to shore up their online security more broadly.
“The first piece of advice I would provide is to change your password at the earliest opportunity, ensure it’s complex, and do not ‘password share’ with any other logins you may have,” he said. “If the online retailer supports multi-factor authentication (MFA), this should also be enabled. If you configure MFA, I’d avoid using SMS based tokens; use an authenticator app.
“If an online retailer has enabled passkeys, you can use a password manager to generate a passkey, which essentially makes your account ‘passwordless’. The passkey is a unique ‘key’ which is used to validate the user: it doesn’t require any keying of passwords and won’t store a password that could potentially be harvested.
“I would always discourage people from saving their payment methods with providers; this is a common feature, and although there are security precautions in place with these types of things, I’d personally sooner not run the risk.
“Keep an eye on your personal information and things like credit files. If your personal details are harvested from a compromised source, there is the opportunity for impersonation. You may get an increase in spam calls claiming to be from various companies such as Amazon or other high-end retailers.”
