MARKS AND SPENCER (M&S) said on Tuesday that some personal customer data was taken during a cyber attack that has affected its online operations for more than three weeks.
The British retailer stopped accepting online orders on 25 April. Its share price has dropped 15 per cent since the Easter weekend, when issues with orders first appeared.
M&S continues to operate its 1,000 physical stores. The company is widely reported to have been hit by a ransomware attack, in which criminals gain access to systems, encrypt them, and demand payment for restoring access.
In a statement, M&S said some customer details had been compromised and blamed the “sophisticated nature” of the incident. It said affected customers would be informed.
"Importantly, the data does not include useable payment or card details, which we do not hold on our systems, and it does not include any account passwords," M&S said. "There is no evidence that this data has been shared."
The company said customers do not need to take any action. It added that it had taken steps to secure its systems and was working with cybersecurity experts, law enforcement, and government agencies to restore operations.
M&S has not disclosed the financial cost of the disruption. The impact continues to grow as it misses sales from new season ranges during the warmer May weather. About one-third of its clothing and home sales are made online.
Deutsche Bank analysts estimated earlier this month that the profit hit would be at least £30 million, with ongoing losses of about £15 million a week.
They added that cyber insurance would likely cover most of the losses, but noted that such coverage is typically limited in duration.
(With inputs from Reuters)
