CybersecuritySecurity NewswireCybersecurity NewsRetail/Restaurants/Convenience

Update on Marks & Spencer Cyberattack

By Jordyn Alger, Managing Editor
Colorful jackets

The Nix Company via Unsplash

May 16, 2025

United Kingdom retailer Marks & Spencer (M&S) has provided an update on the cyberattack it recently experienced, stating that personal customer data was stolen in the incident

Neither payment details nor account passwords were stolen. Instead, information at risk may include: 

  • Contact information
  • Birth dates
  • Online order history 

According to the notice, the organization has seen no evidence that the stolen information has been shared. 

Implications of the Breach 

Mr. Piyush Pandey, CEO at Pathlock:

From a compliance standpoint, this breach could trigger significant scrutiny under GDPR and UK privacy laws — particularly given the compromise of sensitive personal data, including names, addresses, birthdates, and order histories. 

For enterprises across sectors, the incident underscores the need to move beyond “checkbox” compliance and adopt a comprehensive, policy-driven governance framework — one that continuously monitors adherence to internal controls and dynamically adapts to evolving regulatory requirements and business needs.

How Customers Should Protect Themselves 

Ben Hutchison, Associate Principal Consultant at Black Duck:

In the wake of recent cyberattacks and data breaches such as this, potentially impacted users/customers should be generally aware of an increased risk of being targeted by scams. This includes phishing attacks wherein they receive communication from a malicious actor purporting to be from a legitimate source, such as the impacted company/service, and potentially leveraging compromised data in an attempt to appear legitimate and encourage them to take some action or engage with the malicious actor further; in extreme cases, even fraud by criminals using the compromised data to masquerade as the affected user (depending upon the nature of the data compromised). 

Users should generally remain vigilant for unusual activity across their accounts and take reasonable precautions such as resetting and not reusing credentials (such as passwords) across services, as well as monitoring for updates on the situation from the affected organization.

KEYWORDS: data breach retail cyber security

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jordynalger

Jordyn Alger is the managing editor for Security magazine. Alger writes for topics such as physical security and cyber security and publishes online news stories about leaders in the security industry. She is also responsible for multimedia content and social media posts. Alger graduated in 2021 with a BA in English – Specialization in Writing from the University of Michigan. Image courtesy of Alger

close

1 COMPLIMENTARY ARTICLE(S) LEFT

Unlock the future of cybersecurity news with Security.
As a leader in enterprise security, we have you covered with the information to keep you ahead of the curve.

JOIN TODAY

Already Registered? Sign in now.

Related Articles

Related Products

See More ProductsSee More Products

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!