Marks & Spencer Website Suspended After Customer Data Breach

Marks & Spencer temporarily suspended its website on Tuesday night after “technical difficulties” that exposed customer information to other website users.

But the British retailer insisted that its website was not hacked by outside third parties, and there is no security risk for affected customers.

Not Hacked

The M&S website is back online and operating normally as of Wednesday morning, after its suspension for a couple of hours on Tuesday night.

A M&S spokesperson confirmed to TechweekEurope today that the M&S website was suspended at 7.30pm on Tuesday evening, and was restored around 10pm.

The company was keen to stress that this was not a breach by outside third parties, but was as a result of internal ‘technical difficulties’.

“Due to a technical issue we temporarily suspended our website yesterday evening,” M&S said. “This allowed us to thoroughly investigate and resolve the issue and quickly restore service for our customers. We apologise to customers for any inconvenience caused.”

Prior to the website suspension, it seems that when M&S customers logged into the website, they could see other people’s orders. And some customers reportedly claimed they could see payment details of other customers.

However M&S insisted that as the details were encrypted there was no security risk.

Financial Implication

At least one security expert has warned that businesses today need to be aware of the potential financial implications of exposing customer data.

“Many companies are flying blind when it comes to security, because they don’t think it affects them,” said Phil Barnett, vice president of Global Good Technology. “The truth is that it’s not just a conversation for banks or governments anymore, 90 per cent of companies have actually experienced a hack, and recent examples like Sony and TalkTalk have proved that – anyone and everyone is a potential victim of hacks and data leaks.

And he warned that of the impending legislation that could see firms slapped with large fines.

“When GDPR is implemented in 2016, companies experiencing a data breach could face a fine of two percent of worldwide revenue, so it’s not just going to be some painful interviews and a drop in share price, there’s the potential of big fines for every business.”

At it currently stands, it is still not mandatory for firms to report data breaches, but the incoming General Data Protection Regulation (GDPR) is likely to enforce a change in reporting requirements.

Are you a security expert? Try our quiz!