An update now on that cyber attack that hit MX and Spencer three weeks ago. The firms revealed some personal customer data was stolen in the attack. The retailer said the information taken could also include contact details, date of birth, and online order histories, but it added the theft didn't include usable payment or card details or any passwords.
M&S is still struggling to get services back to normal with online orders still suspended. Our cyber correspondent, Joe Tidy, is with me in the studio. Joe, just what else has emerged about this?
Well, I'm afraid, yeah, this was a bit inevitable because we know that the way that these ransomware groups work is they get into a company's system. They quite often, nearly always now, do something called double extortion, which means they first of all steal a copy of whatever data they can get and then they scramble the victim's data. So that this instance, as we expected, they took a load of data before they scrambled M&S's systems.
So what we've seen the last three weeks is the chaos of what happens when you scramble the data. M&S now obviously no online orders for a long time empty shelves in some stores that kind of thing. But behind the scenes we can now obviously know we can reveal because M ands have told us that they have had this situation with the hackers have said we've got X amount of data from customers.
So they've now got two bargaining chips. They say give us the ransom that we want often in Bitcoin. So they'll say I don't know a few million for example for something as big as M&S and we'll give you the key to unload the data to get your systems back and up and running and we'll we won't sell it on all the data that we've stolen to other criminals.
So now we know that there is this massive bargaining chip that the hackers are hanging over M&S as you say names of customers, date of birth, telephone number, home address, household information. I don't know what that means. Household information.
Um what else could there be apart from home address? Uh email address and order history. And it's that last one, the order history that would worry me the most as a as an M&S customer because all the other information, yes, you don't want that in the hands of cyber criminals.
They can use that to build a profile on you to identity identity theft, but it's the order history. So now they've got a really good potential secondary attack where they can go to customers possibly at scale and say, "We know your order history. We are M&S.
Please give us some more details. " They can carry out more attacks using impersonation in order to gain more details. So, what can M&S do about it and what can customers do about it?
Well, M ands has a very simple choice. Do they pay the hackers or not? At the moment, the hackers have all the power.
They've got all this data that they can potentially sell or give away. Usually, they give it away. They've got a darknet website that they use in order to publicize the data theft to other hackers, other cyber criminals.
I've been on that this morning, been refreshing it twice a day for the last two weeks, waiting to see whether or not they would post about M&S. There's still nothing on there at the moment, but I imagine now that M&S has done this, the hackers will start boasting about their hack publicly and we'll see this public extortion. So M&S can either pay the hackers to get this pinky promise that they'll delete the data, which doesn't always happen, or they can deal with the consequences of potentially, you know, millions of people's data out there.
For customers, the advice is be extra vigilant, always the the same, isn't it? Um, but it's waiting for those emails and those potential phone calls from secondary hackers pretending to be M&S. That's where you want to watch out for.
That's the worry. There's no bank details stolen, M&S is saying. So, there's no way that we're going to see banks being emptied by these hackers, but it's the secondary attacks that are potentially concerning.
Also, the advice from MS is to change passwords to your online accounts for M&S as well. How worried must other big companies be by something like this? Well, these are happening all the time.
These ransomware attacks are every single day there's companies around the world being hit. But what's unique about this situation is you've got a high street brand being hit in such a way that we are seeing the the ramifications in front of us. I spent a long day reporting uh last week and getting the train home and there was no nothing on the shelves for a snack for me late night in M&S.
So, sort of like you're seeing the the the consequences of these hacks which often you don't see. Um, but the other thing, of course, is that these hackers are going for other retailers at the same time. So, we know that they've attacked Co-op.
I spoke to the hackers who said they've done Co-op, Harrods, and M&S, and they are they're boasting about, you know, putting UK retail on on on a hit list as they're calling it. I don't think we're there. I think they're boasting about how powerful they can be.
I think they perhaps got lucky and got M&S and Co-op. And we don't even know what happened to Harage. It might have been a, you know, a false alarm there.
But certainly it is a very concerning time not just for UK retailers but for all organizations because as I say these hacks happening all the time. I went went on the Drgon Force website this morning and it's like a graveyard. You know, there are dozens and dozens of other organizations in exactly the same position that haven't paid the ransom.
