SUGGESTED SEARCHES
Is Toronto the Next Silicon Valley? Borderless AI CEO Suggests ‘Yes’ Interview
How ChatGPT is Revolutionizing Smart Contract and Blockchain Cryptocurrency
When is Pi Network's Expected Launch Date? Pioneer's Mainnet 'Lands in Q1 2025' Blockchain

M&S Hack Warning: Why Your “Low-Risk” Data Is Still a Big Risk

Why Trust Techopedia
A digital vortex made of documents and data sheets swirling into a fiery center, symbolizing a data breach and the loss of sensitive information in a cyberattack.

Almost every company would retreat into damage control and face-saving frenzy after a data breach, and Marks & Spencer was no different when it suffered what its CEO labelled a “sophisticated” cyber attack in April 2025.

The retailer has since issued multiple updates on containment efforts. The latest one came on May 13, when M&S confirmed that customer data had in fact been stolen but was quick to add that “the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords.” Customers were told no action is needed, but will be prompted to reset passwords on their next visit or login as a precaution.

While we commend M&S for being upfront, the number of affected customers remains undisclosed. With about 9.4 million active online customers reported from last year, accepting the company’s reassuring and low-risk framing could be a costly mistake, and here’s why.

Key Takeaways

  • M&S suffered a “sophisticated” cyberattack in April, resulting in stolen customer data.
  • The stolen data did not include usable payment details or account passwords, but did include personal customer data.
  • Experts warn that even “low-risk” data can be exploited for phishing and social engineering attacks.
  • M&S has not disclosed the number of affected customers and is prompting password resets as a precaution.
  • Customers are advised to remain vigilant, enable multi-factor authentication, and consider extra precautions like using disposable virtual cards.

Any Sensitive Data Can Be Dangerous in the Wrong Hands

There’s a pattern that tends to repeat itself after a breach. A company confirms a cyberattack, admits some data was accessed, and then tries to calm the waters. In the case of M&S, the company stated that no payment details or account passwords were stolen, save for personal information. That was meant to reassure people. But what it actually does is reveal a bigger blind spot in how we think about cybersecurity risk.

Attackers don’t always need the crown jewels of customer data to cause serious harm. What’s often labeled as “non-usable” or “low-risk” data, like names, phone numbers, email addresses, and order history can still be incredibly valuable. It’s the kind of information that forms the foundation of phishing attacks and social engineering scams.

Cybersecurity Strategist at Sysdig, Crystal Morin, told Techoedia in a statement that attackers often find a way to use low-risk data to get to their targets. She said:

“Attackers will find a way to use the information they have, regardless of how insignificant it may seem. They can weaponize low-risk data by using victims’ personal information in targeted social engineering campaigns like spear-phishing emails, phone calls, multi-factor authentication request fatigue, and more.”

“This kind of data feeds directly into phishing attacks,” Ron Marsden, full-stack developer at Maxweb Solutions, shared with Techopedia in a chat.

Marsden said:

“If an attacker knows you’re an M&S customer and your name and email, they can send a very convincing fake email pretending to be from M&S, maybe asking you to reset your password or check a fake order.”

Marsden further explained that the goal isn’t always instant access to bank accounts, but often about building trust first, then exploiting it down the line.

Stay Cautious of Inference Attacks, Password Prompts

To set their customers at ease, M&S assured customers that they will be prompted to do a password reset when they try to log into their account. This is a good start, yet that’s where attackers may be looking to pounce.

While arguing the need for more proactive measures from the retailer, Mike Logan, CEO of C2 Data Technology, a data security posture management (DSPM) solutions developer and consultancy, warned that  “attackers can absolutely target victims through inference attacks.”

For context, an inference attack technique is where bad actors use fragments of stolen information, such as names, email addresses, phone numbers, and combine them with publicly available data to infer more sensitive details about a person. Over time, this patchwork of information can reveal usernames, partial passwords, or even answer security questions.

Although this method relies on logic and patience, Logan insists we should not “underestimate the creativity of modern hackers. They excel at piecing together small, seemingly harmless data points to reveal much more sensitive information.”

While spear phishing attacks on customers seem the most likely outcome from this type of incident, Martin Jartelius, CISO at Outpost24, noted that, depending on the data stolen, affected users should also expect more targeted marketing. He said:

“Depending on what information was in it, low-risk data can potentially also be used to identify your interest and allow targeted marketing towards you.”

What the M&S Breach Tells Us About Corporate Responses to Cyber Attacks

This breach exposed not just customer data but also just how thin many corporate responses to cyber attacks really are.

For a company with nearly 10 million online customers, the reaction followed a now-familiar rhythm: issue a statement, downplay the risk, and promise security improvements. This playbook is built more for PR than prevention.

Marsden said:

“‘Low-risk’ is a PR term. From a dev/security point of view, there’s no such thing. Any data loss is a risk.”

Marsden added that while M&S was transparent about the breach, its handling highlights a broader industry problem. “It looks like we’re still in reactive mode. M&S did the right thing by being upfront, but like a lot of organizations, it highlights that many companies still aren’t investing enough in proactive security,” he said.

Those proactive steps, experts argue, should go far beyond vague advice about changing passwords. Logan said the breach underscores the need for “data mapping and continuous risk assessments,” alongside stronger technical safeguards like zero trust architectures and strict access controls.”

When breaches happen, response efforts should do more than protect brand reputation. “Broadly speaking, this breach highlights that corporate responses often focus on reassuring the public and minimizing legal liability,” John Yensen, President at Revotech Networks, said in a statement to Techopedia.

“In my opinion, clear communication that comes with immediate support would be a very robust response,” said Yensen.

What Impacted Customers Can Do to Stay Safe

With data like emails, names, and perhaps phone numbers allegedly carted away, Marsden of Maxweb Solutions calls on M&S customers to “remain cautious” of password reset prompts, as attackers can use this data to create convincing phishing emails that mimic legitimate security alerts.

However, David Currie, CEO of Vaultree, a Secure Data Enablement Solutions, still calls on M&S customers to do a password reset before anything else.

Yensen recommends several steps to stay secure:

  • First, create a dedicated email alias for your M&S orders to keep phishing attempts in a separate inbox.
  • Next, enable multi-factor authentication (MFA) on your M&S account and any linked services to block unauthorized logins.
  • Customers should also consider using a disposable virtual card, offered by many banks, for payments. This ensures leaked details can’t be reused.
  • They should also set up a free dark-web monitoring alert for your email and phone number to catch exposures early, letting you act proactively.
  • Finally, opt out from major data brokers like Whitepages or Spokeo to limit your personal data online.

The Bottom Line

Despite the reassurance from M&S, a data breach of this magnitude should not be framed in a way that downplays its risks.

While the retailer has done their bit to contain damages, customers are enjoined to take it up from here now they’re aware that some of their data rests in the hands of cyber criminals. We can’t overemphasize the need to be vigilant at this time.

FAQs

Is the M&S cyberattack resolved?

Who is behind the M&S cyber attack?

How much does it cost to recover from a cyber attack?

References

  1. Cyber Incident – Further Update (London Stock Exchange)

Related Reading

Related Terms

Advertisements
Franklin Okeke
Technology Journalist
Franklin Okeke
Technology Journalist

Franklin Okeke is an author and tech journalist with over seven years of IT experience. Coming from a software development background, his writing spans cybersecurity, AI, cloud computing, IoT, and software development. In addition to pursuing a Master's degree in Cybersecurity & Human Factors from Bournemouth University, Franklin has two published books and four academic papers to his name. Apart from Techopedia, his writing has been featured in tech publications such as TechRepublic, The Register, Computing, TechInformed, Moonlock, and other top technology publications. When he is not reading or writing, Franklin trains at a boxing gym and plays the piano.

Most Popular News

  1. 48% Error Rate: AI Hallucinations Rise in 2025 Reasoning Systems
  2. Dell Technologies World 2025: New AI PC, Project Lightning & PowerCool
  3. OpenAI’s Deep Research: The Most Accurate AI Agent in 2025?
  4. ZKsync Aims to End Ethereum’s Scalability Issue, but Is It Ready?
  5. Meta Renewed Crypto Ambitions: Stablecoins on Social Platforms
  6. Can Google’s AI Stop Scam Texts & Calls? Experts Have Doubts
  7. Google’s Gemini Is Everywhere: But Will Anyone Actually Use It?
  8. Retail Cyberattacks Are Rising: Here’s What Makes Them So Easy
  9. Replika’s $5.6M Fine Exposes AI Privacy Concerns in 2025
  10. Is Any Deep Research AI Worth It if You’re Not a PhD?

Related Features

LOTL Attacks Surge as Hackers Exploit Built-In Tools
Cybersecurity

LOTL Attacks Surge as Hackers Exploit Built-In Tools

 Franklin Okeke 1 day
The Next Cyber Attack May Target Your Brain
Cybersecurity

The Next Cyber Attack May Target Your Brain

 Marshall Gunnell 3 days
Cracking the Malware Supply Chain: Crypting Services Hit
Cybersecurity

Cracking the Malware Supply Chain: Crypting Services Hit

 Franklin Okeke 4 days
Why the Red Cross Is Taking Its Emblem Into Cyberspace
Cybersecurity

Why the Red Cross Is Taking Its Emblem Into Cyberspace

 Neil C. Hughes 2 weeks
1.2B Facebook Records for Sale: Real Breach or Repackaged Data?
Cybersecurity

1.2B Facebook Records for Sale: Real Breach or Repackaged Data?

 Franklin Okeke 2 weeks
How TikTok ClickFix Scams Trick You Into Malware Downloads
Cybersecurity

How TikTok ClickFix Scams Trick You Into Malware Downloads

 Franklin Okeke 2 weeks
How Slopsquatting Turns AI Hallucinations into Cyberattacks
Cybersecurity

How Slopsquatting Turns AI Hallucinations into Cyberattacks

 Maria Webb 3 weeks
Invisible Enemy: The 2025 Blueprint for Attack Surface Management
Cybersecurity

Invisible Enemy: The 2025 Blueprint for Attack Surface Management

 John Meah 3 weeks
Popular Categories
Show All
Artificial Intelligence icon
Artificial Intelligence
Business Software icon
Business Software
Cybersecurity icon
Cybersecurity
Cryptocurrency icon
Cryptocurrency
Data Management icon
Data Management
Gaming icon
Gaming
Network icon
Network
Personal Tech icon
Personal Tech
Advertisements