Customer Personal Data Stolen in Marks & Spencer Cyber Attack
In April, Marks & Spencer was hit by a cyber attack which continued to cause issues both in store and online. It has now been revealed that as part of this incident, some personal customer data has been stolen, potentially including names, dates of birth, contact information, home addresses and online order history.
While they have confirmed that no account passwords have been taken, they have urged customers to reset their account passwords “for extra piece of mind”.
The incident occurred after hackers who targeted both Marks & Spencer and the Co-Op tricked IT workers into giving them access to company systems. This method of attack is known as “social engineering”, where human error is relied on to gain unauthorised access to accounts and systems. This was used to install ransomware on systems, which is software that encrypts data on, locking it away until a ransom is paid.
While M&S work to get things back to normal, customers have been contacted to inform them of the incident and to reassure them that as this time, there is no evidence that no data has been shared.
The retailer has not yet confirmed how many customers have had their data stolen, but all customers of their online services have been informed of the incident. According to publicly available results from last year, M&S have roughly 9.4 million active customers.
In addition to this, Stuart Machin, M&S Chief Executive has reassured customers that they are “working around the clock to get things back to normal as soon as possible”.
What can we learn from this incident:
Despite the size of the business involved and the severity and magnitude of the incident, there are still some key takeaways from this that absolutely apply to smaller businesses:
Data breach awareness schemes are vital: Human error is the most common cause of data breaches, and hackers often take advantage of this to gain unauthorized access to systems. While we still don’t know the exact way hackers were able to get access, it’s still important to provide staff with the training and resources to help them identify attempted social engineering attacks.
It’s vital to know how and when to inform data subjects that personal data may have been compromised: In this case, M&S have done a good job in informing customers of the breach, with them detailing exactly what data has been compromised, confirming that the data hasn’t been published anywhere and reassuring customers that login information and payment details are not compromised.
Article 34 of UK GDPR states that a breach must be communicated to a data subject if it is “likely to result in a high risk to the rights and freedoms” of the data subject. In this case, some of the data compromised absolutely meets this criteria, meaning M&S did the right thing by informing the data subjects of the breach. For example, fact that email addresses are potentially included opens the data subject up to being targeted by phishing scams, and when combined with other personal data such as names, home addresses could facilitate things like impersonation.
