Retailer Marks & Spencer has confirmed that a recent cyber attack led to customer personal data being stolen, though it maintains that payment details and passwords remain secure.

Chief Executive Stuart Machin addressed the situation publicly, stating that the data breach occurred “due to the sophisticated nature of the incident.” He assured customers that financial information was not accessed. “Importantly, the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared,” he added.

While M&S has not revealed the number of affected customers, the incident has caused significant disruption. The retailer’s website and mobile app have been offline for orders since April 25, with continuing issues affecting in-store services such as contactless payments and click and collect. Some product availability in physical stores has also been impacted.

In a message posted on social media, Mr. Machin sought to reassure customers, saying there is “no need for customers to take any action.” He explained that “to give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log on to their M&S account and we have shared information on how to stay safe online.”

Retail analysts suggest the breach could carry a financial cost for the company. Marks & Spencer’s upcoming annual results, due to be announced on May 21, are expected to offer a clearer picture of the impact on the business.

Cyber security reports have linked the attack to a hacking group known as Scattered Spider. The Metropolitan Police have confirmed their involvement, stating that detectives from the cyber crime unit have launched an investigation, which remains ongoing.

As the situation develops, both customers and investors are watching closely for updates on recovery efforts and how M&S plans to prevent future incidents.