LONDON :British retailer Marks and Spencer said on Tuesday some personal customer information was taken in the cyber attack that has crippled its online operation for more than three weeks.
M&S, one of the best known names in British business, stopped taking online orders on April 25, and its share price has fallen 15 per cent since the Easter weekend, when problems with orders first started.
The retailer, whose 1,000 stores remain open, is widely reported to have been the victim of a ransomware attack, where criminals infiltrate companies’ computer systems, encrypt them and demand payment before allowing them to resume control.
M&S said some customer details had been taken, blaming the “sophisticated nature” of the incident, and said it would inform customers of the issue.
“Importantly, the data does not include useable payment or card details, which we do not hold on our systems, and it does not include any account passwords,” M&S said in its statement. “There is no evidence that this data has been shared.”
Advising customers there was no need to take any action, the company said work was continuing to get operations back to normal. It said it had taken steps to protect is systems, while working with cybersecurity experts, law enforcement and government agencies.
M&S has declined to quantify the financial impact, which is growing by the day as it misses out on sales of new season ranges with much of the UK basking in warm May temperatures. It makes around one-third of its clothing and home sales online.
Analysts at Deutsche Bank estimated earlier this month that the profit hit would have been at least 30 million pounds and the run rate at about 15 million pounds a week.
They said cyber insurance would likely cover most of the impact but that cover is generally provided for a limited amount of time.
