Marks & Spencer has warned shoppers to be on the lookout for scam calls and emails after hackers stole customer data from its systems.
The retailer is this week writing to customers to alert them that personal data have been taken by cyber criminals, including partial credit card details, contact information, dates of birth and order histories.
It admitted that the hackers may have accessed “masked” payment details – typically the final four digits of a card used for payment. While this cannot be used to make a payment, it could be useful information for scammers to trick victims into handing over their full credit card numbers.
Jayne Wall, M&S operations director, urged customers to be vigilant and not give away personal details to unknown callers. “You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious,” Ms Wall said.
She added: “Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.
“Importantly, the data does not include useable card or payment details, and it also does not include any account passwords.”
The retailer said: “For clarity and reassurance, M&S does not hold full payment card details on its systems, which is why we use the term ‘masked’.”
The data stolen are believed to include names, phone numbers, addresses, dates of birth and customer reference numbers.
M&S yesterday wrote to millions of members of its Sparks rewards programme and anyone who has made a purchase from M&S.com to warn them their information could be at risk. It will also be prompting them to reset their passwords. It has so far refused to confirm how many customers have been affected.
The FTSE 100 retailer has been grappling with the fallout of a cyber attack that began almost a month ago.
Hackers are believed to have infiltrated M&S’s IT network and encrypted its systems using ransomware software, demanding payment in exchange for unlocking the computers. M&S has since been forced to rebuild much of its technology.
Online sales have been paused for almost three weeks and the company has frozen hiring in the wake of the attack. Shelves have also been left bare amid the disruption.
On Tuesday, analysts at Bank of America said the disruption was costing M&S an estimated £43m per week in lost sales and would result in a 7pc hit to its profits for the coming year. The cyber attack has wiped more than £7bn from M&S’s stock market value.