Cyber Update
An update from M&S about the recent cyber incident
Dear customer,
I’m Jayne Wall, and I look after Customer Service here at M&S. I am sure that you will have seen in the news that we have been dealing with a cyber incident and I wanted to write to you about what this means for you.
What has happened?
To proactively manage the incident, we immediately took steps to protect our systems and engaged leading cyber security experts. We also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with.
Unfortunately, the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared. The personal data could include contact details, date of birth and online order history. However, importantly, the data does not include useable card or payment details, and it also does not include any account passwords. For more detail, see our FAQs.
How does this affect me and what should I do?
You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious. Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.
For more information, FAQs and hints and tips on how to stay safe online visit corporate.marksandspencer.com/cyber-update.
To give you extra peace of mind, next time you visit or login to your M&S.com account on our website or app, you will also be prompted to reset your password.
We sincerely apologise for any inconvenience caused to you and all of our customers.
Thank you so much for shopping with us and for your support, we never take it for granted.
Jayne Wall
Operations Director
FAQs
- The personal data taken could include contact details - such as name, email address, addresses, telephone number - date of birth, online order history, household information and ‘masked’ payment card details used for online purchases. For clarity and reassurance, M&S does not hold full payment card details on its systems, which is why we use the term ‘masked’.
- In addition, if you have or previously had an M&S credit card or Sparks Pay, your customer reference numbers, which are not your credit card number or payment details, could also be included. Importantly, the data does not include useable card or payment details.
- You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious.
- We will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.
Here are some hints and tips on how to stay safe online:
- Be careful if you receive an email or text message asking you to click on a link – check it goes to where you expect it to.
- Use a strong and unique password for your email account and use different passwords for each account you have.
- Always do your software updates on your phones and devices as they often contain important security updates to protect you.
- If you need more help, there is some good advice on the government’s National Cyber Security Centre website www.ncsc.gov.uk/guidance/data-breaches
You do not need to take any action and, to give you extra peace of mind, next time you visit or login to your M&S.com account on our website or app, you will also be prompted to reset your password.
- When you next go to login on your M&S account, you will enter your account details and click sign in.
- You will then see a message in red which asks you to click the ‘reset your password’ link.
- Please click the link and you will be taken to a new webpage on M&S.com.
- Once there, enter your email address and click the ‘send password reset’ link.
- You will then receive an email to your registered account from Marks and Spencer Service asking you to reset your password.
- Please click the ‘reset your password’ button in the email.
- You will then be taken to a new webpage on M&S.com to enter your new password.
- Enter and confirm your new password and then click the ‘reset my password’ button.
- When this has been done, you will see a message to confirm your password has been changed.
- Remember to use a strong and unique password.
You can still use your physical Sparks card. Your digital card can be accessed via your mobile phone’s digital wallet. To access your Sparks card on the M&S App you will be prompted to reset your password.
You will continue to receive emails from M&S. At the moment, Sparks offers are paused but they will be back shortly and shared in the normal way.
If you have questions that have not been answered here, please head to www.marksandspencer.com/help-and-support/contact/cyber-incident – we are here to help.