United Kingdom retailer Marks & Spencer (M&S) has provided an update on the cyberattack it recently experienced, stating that personal customer data was stolen in the incident. 

Neither payment details nor account passwords were stolen. Instead, information at risk may include: 

• Contact information
• Birth dates
• Online order history 

According to the notice, the organization has seen no evidence that the stolen information has been shared. 

Implications of the Breach 

Mr. Piyush Pandey, CEO at Pathlock:

From a compliance standpoint, this breach could trigger significant scrutiny under GDPR and UK privacy laws — particularly given the compromise of sensitive personal data, including names, addresses, birthdates, and order histories. 

For enterprises across sectors, the incident underscores the need to move beyond “checkbox” compliance and adopt a comprehensive, policy-driven governance framework — one that continuously monitors adherence to internal controls and dynamically adapts to evolving regulatory requirements and business needs.

How Customers Should Protect Themselves 

Ben Hutchison, Associate Principal Consultant at Black Duck:

In the wake of recent cyberattacks and data breaches such as this, potentially impacted users/customers should be generally aware of an increased risk of being targeted by scams. This includes phishing attacks wherein they receive communication from a malicious actor purporting to be from a legitimate source, such as the impacted company/service, and potentially leveraging compromised data in an attempt to appear legitimate and encourage them to take some action or engage with the malicious actor further; in extreme cases, even fraud by criminals using the compromised data to masquerade as the affected user (depending upon the nature of the data compromised). 

Users should generally remain vigilant for unusual activity across their accounts and take reasonable precautions such as resetting and not reusing credentials (such as passwords) across services, as well as monitoring for updates on the situation from the affected organization.