UK Retail Sector Hit by Ransomware Spree
upstart writes:
M&S forces customer password resets after data breach:
Marks and Spencer (M&S) has confirmed that customer data was stolen during the Easter DragonForce ransomware attack on its server infrastructure and will be prompting all online customers to reset their account passwords as a precautionary move.
The attack unfolded three weeks ago and is thought to have been the work of a white-label affiliate of DragonForce - possibly the notorious Scattered Spider operation, which uses social engineering tactics to conduct its intrusions.
The stolen tranche of data is understood to include contact details email addresses, postal addresses and phone numbers; personal information including names and dates of birth; and data on customer interactions with the chain, including online order histories, household information, and 'masked' payment card details.
M&S added that customer reference numbers, but not payment information, belonging to holders of M&S credit cards or Sparks Pay cards - including former cardholders - may also have been taken.
"We have written to customers today to let them know that unfortunately, some personal customer information has been taken," said M&S chief exec Stuart Machin.
"Importantly there is no evidence that the information has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action."
[...] NordVPN chief technology officer, Marijus Briedis, described M&S' assertion that the attackers have not yet leaked or shared the stolen data was "overly optimistic" under the circumstances and warned that even if passwords or credit card details were not exposed, the data that was taken was still very useful to cyber criminals.
"This type of data can be used in phishing campaigns or combined with other leaked information to commit identity theft," explained Briedis.
"Consumers often underestimate how damaging 'harmless' data like order history or email addresses can be in the wrong hands. These M&S hackers could use this data to build highly personalised phishing emails, designed to look identical to what the retailer would send, and these are much harder to spot.
"This breach highlights how companies must not only secure financial data, but also treat seemingly less sensitive information - like customer profiles and purchase records - as critical assets that require protection."
Read more of this story at SoylentNews.