What should M&S customers do after criminals stole personal data in huge attack?

The personal data of M&S customers has been stolen by hackers during a huge cyber attack that may have cost the company millions. 

So what should those customers do now?

The retail giant admitted on Tuesday that some data had been stolen but reassured customers that no "usable payment or card details" were taken.

Read more: M&S says customers' personal data taken by hackers

Passwords were also not included in the stolen data but there are reports that contact details like names, addresses and phone numbers were taken.

There is no evidence the data has been shared, M&S confirmed to Sky News on Wednesday.

Despite M&S saying customers "do not need to take any action" aside from changing their password next time they log in, cybersecurity experts are worried.

Here's what they want you to do if you have an M&S account.

Watch out for phishing scams

"We often see a spike in phishing emails, fake delivery texts and scam calls after breaches like this, particularly when order history or usernames are involved," said Charlotte Wilson, head of enterprise at cybersecurity firm Check Point.

"This is not about panic, but it is a reminder that cybersecurity is not just about technology," she said.

These scams can appear more convincing because hackers can include personal details like your name, address or phone number, stolen in attacks like the one on M&S.

"Some criminals may impersonate a well-known organisation and convince victims of their credibility by providing their name, address and date of birth - before using this false credibility to scam the victim out of their money," said Sam Kirkman from NetSPI.

In fact, the criminal group reportedly behind the M&S attack is known to use tactics like this to scam people.

Rather than using software to hack past company firewalls, Scattered Spider hackers target human vulnerabilities and trick people into giving them access.

Read more from Sky News:
QR codes linked to online drugs
Could UK get US-style 'supermax' jails?

"Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password," said M&S operations director Jayne Wall in a message to customers.

Stop, challenge, protect

Mr Kirkman recommends following the "stop", "challenge" and "protect" steps of Take Five, a national campaign aimed at protecting people from cybercrime:

• Stop: Take a moment to stop and think before parting with your money or information. It could keep you safe.
• Challenge: Ask yourself, could it be fake? It's ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.
• Protect: Contact your bank immediately if you think you've been scammed and report it to Action Fraud at actionfraud.police.uk or on 0330 123 2040.

Change passwords

M&S said no passwords were stolen in the data breach but Clare Loveridge from cybersecurity firm Arctic Wolf still says it is a "good idea" to change their passwords across all online accounts.

"Likewise, taking additional steps like activating two-step authentication will also improve protection, if it's not been done already," she said.

This is because attackers may test reused passwords or login credentials stolen in previous data breaches.

"Stolen personal data can still be used as pieces of a puzzle by fraudsters," said Tim Grieveson, from ThingsRecon.

(c) Sky News 2025: What should M&S customers do after criminals stole personal data in huge attack?