Marks & Spencer has admitted that customer data was stolen in a cyber attack that has crippled the retailer.
The high street giant said it would be writing to millions of customers on Tuesday to inform them that some of their personal data had been taken more than three weeks after it first confirmed the incident.
Stuart Machin, the chief executive, said: “As we continue to manage the current cyber incident, we have written to customers today to let them know that unfortunately, some personal customer information has been taken.
“Importantly, there is no evidence that the information has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.”
M&S declined to comment on how many customers had been affected. However, The Telegraph understands it will be writing to all customers that have details on its systems to warn them of the breach.
This includes all members of its Sparks loyalty programme and anyone who has shopped on M&S.com.
Mr Machin added that customers would be prompted to reset their password next time they log into its website.
The cyber attack on M&S has forced it to halt online orders for almost three weeks, left shelves empty and wiped more than £1bn off its share price.
The news of the data breach comes more than three weeks after M&S first confirmed the cyber attack, on April 22.
The retailer claims to serve more than 32m customers worldwide, with more than 16m members on its Sparks loyalty programme.
M&S has been working with the National Crime Agency, the National Cyber Security Centre and the Metropolitan police on the incident. It has also called in cyber security experts from Silicon Valley to deal with the fallout and alerted Britain’s data regulator, the Information Commissioner’s Office.
The hack comes amid a spree of attacks on UK retailers. After M&S confirmed it had been breached, Co-op admitted customer data had been stolen. Harrods, the department store group, said it had also been targeted.
The attacks have been blamed on a hacking cartel, known as DragonForce, which has held the retailers to ransom after infiltrating their systems.
Cyber security investigators are also exploring the possibility that a group known as Scattered Spider, a gang of teenage hackers based in the UK and the US, are involved in the crime wave.
The hackers are believed to have tricked IT helpdesk workers into resetting staff passwords, giving them access to internal systems. Once inside, they have attempted to steal data and encrypt the retailers’ IT network, demanding payment to unlock them.