The BBC investigates the aftermath of the Marks & Spencer cyber-attack, that knocked out its online offer and caused disruption to available lines within the store network.

It reports that Marks & Spencer has revealed that some customer data was stolen during a recent cyber-attack targeting the retailer.

The company has been struggling to get services back to normal since the attack in April, which left some shelves empty, deliveries in limbo and online orders suspended.

It told customers on Tuesday 13^th May 2025, to remain cautious about receiving emails, calls or texts claiming to be from M&S.

M&S has revealed that some personal customer data was stolen during the attack.

It says information taken could include contact details such as people’s names, home addresses, phone numbers and email addresses.

Dates of birth and online order history may also be among the data stolen. But it does not include useable payment or card details, or account passwords, M&S says.

The retailer will prompt customers to reset passwords for “peace of mind”. It adds that while users do not need to take any action, they should remain alert to possible attempts to extract or misuse their information. Online orders are still paused at this time.

M&S’s problems began over the Easter weekend, with customers reporting problems with Click & Collect and contactless payments. The company confirmed it was dealing with a “cyber incident” and although those services have now resumed, on Friday 25 April, it paused online orders on its website and apps.

It is understood that customers who have received a ready-to-collect email can pick up their order in store, and orders placed after Wednesday 23 April will be refunded.

M&S was targeted by a ransomware attack. This is a type of malicious software used to scramble important data or files after gaining access to a business’ computer systems, essentially locking them away unless a ransom is paid. Hackers often threaten to leak or sell the data to pressure a business into paying up.

A ransomware group called “DragonForce” told the BBC it was responsible for the attack on M&S, the Co-op and an attempted hack of Harrods and said there would be more attacks soon.  DragonForce operates an affiliate cybercrime service so anyone can use their malicious software and website to carry out attacks and extortions.

It is not known who is ultimately using the DragonForce service to attack retailers, but some security experts say the tactics seen are similar to that of a loosely coordinated group of hackers who have been called Scattered Spider or Octo Tempest. The gang operates on Telegram and Discord channels and is English-speaking.