I don't really give a fuck that they got hacked (I mean, its not ideal, but it happens, especially to organisations such as this).

The thing that I do give a fuck about is them not practicing the art of full disclosure and telling us what happened, in full.

Still relatively early days, so maybe when they're fully recovered they will.... (I won't hold my breath. Thus far, they've looked very reluctant to disclose information).

Well... I do...

If a company holds my personal data then they are responsible for it's safety !

And they should be held accountable for any negative consequences of a data breach...

My biggest question is why does M&S hold your date of birth?

It's quite common for retailers to ask that - in return they offer special crap on your birthday...

To go with the "household information" that they retain.

Has your data fundamentally changed since the Equifax hack?

Remember - you didn't need to be an Equifax customer to have been affected. You only had to have been dealing with a 3rd party who used them for a credit check.

We're all fucked. This M&S hack is the one you hear about, I'm certain there are others that haven't been revealed.

From the issues they are having with stock control and distribution, I suspect M&S are still struggling to get back in to their systems and thus still don't actually know the extent to which they have been compromised...

Whilst people are focusing on the customer data, what is clear M&S are struggling with inadequate business continuity plans and a sudden discovery of just how much expertise and sector knowledge has gone. With weird non-sensical deliveries being made to stores because staff no longer have any real understanding of what stores are selling and what is a store's normal level of business and stock turnover.

Suspect the Co-op is hitting exactly the same stock delivery problems...

There are a lot of staff posting on reddit with stories, including inability to see rotas and booked holidays as well

Stores seem to be getting pallets of big sellers and a lot of smaller throughput items are missed off

"no longer have any real understanding of what stores are selling"

Some retail businesses appear to have no real idea what they're selling anyway, or know how to manage their stock.

I've seen one convenience store retailer would re-order stock to replace sold items, but the stock control system didn't record the price the item was sold at, only that a sale occurred. They also had a policy that items close to their sell-by or best-before dates would be reduced however much necessary for them to sell, they weren't to bin any items. One store got themselves into the situation where they kept getting deliveries of an item that nobody wanted, it all had to be reduced to below cost price to sell, losing them money. More such items were then ordered and delivered to store. They were unable to stop this.

If you look in your local supermarket, you will often see with short life products that a new delivery will be put straight out on the shelves behind older stock without waiting for the older stock to sell. Shoppers then rummage through and take the newer items, leaving the older items on the shelf to get older. They should wait for the old stock to sell first (it usually still has a good life at this point) and then put out the new stock, that way you're less likely to find the only items on display have 1 day life.

I am one of those customers who rummage at the back for new stock. I refuse to buy end-of-life items, I will find something else instead. So put the new stuff up when you get it, please.

The point is that the stock should not get to be end of life in the first place.

From the telegraph

https://www.telegraph.co.uk/business/2025/05/13/ms-customer-data-stolen-in-cyber-attack/#:~:text=The%20hackers%20are%20believed%20to%20have%20tricked%20IT%20helpdesk%20workers%20into%20resetting%20staff%20passwords%2C%20giving%20them%20access%20to%20internal%20systems.%20Once%20inside%2C%20they%20have%20attempted%20to%20steal%20data%20and%20encrypt%20the%20retailers’%20IT%20network%2C%20demanding%20payment%20to%20unlock%20them.

The hackers are believed to have tricked IT helpdesk workers into resetting staff passwords, giving them access to internal systems. Once inside, they have attempted to steal data and encrypt the retailers’ IT network, demanding payment to unlock them.

The worst thing about this.. a password/user combination alone shouldn't give you access to shit. We live in the age of FIDO, device compliance, device certificates, non-phishable MFA, so-on and so-forth.

WTF is going on when a major supermarket isn't practicing basic security principles?

It was only a year ago that AWS mandated SFA for AWS root/admin accounts. 365 still allows username/password access to admin accounts…

"Multifactor authentication for admins accessing Microsoft Admin Portals" was pushed as a conditional access policy by Microsoft in December.

... which date of birth they have for me?

... I'm sure that got their knickers in a twist!

This is not just a breach, it's an M&S breach...

As for Harrods, if you ask about it, you cannot afford it.

We just need more cheap vibe AI staff.

There will be so many breaches, nobody is going to care anymore.

Imagine if all services you use, had complete data breach tomorrow.

Perhaps they should have read it themselves.

These types of incident are becoming increasingly inevitable and of course it's in our own interests to mitigate the potential fallout as far as possible, but it's not a good look to be pushing this message out to your customers after an event over which they have no control and in lieu of any meaningful explanation. Though I suppose arse-covering is M&S's fundamental business.

At this stage, with so many hacks going on, it would be good for the law to be updated requiring that EVERY online service for purchasing allows for a checkout as Guest, with no details stored apart from processing the initial purchase.

Even guest checkout still needs your name, address, etc.

That's quite a naïve view of how things work.

The affected data in this case was

> names, dates of birth, telephone numbers, home addresses, household information, email addresses

For a guest checkout it uses every single one of those with the exceptions of DOB and "household information". The minimum required to fulfil an order (i.e. deliver it) is the person's name and address. Then you need an email address to send updates about the delivery. There's no way that those get wiped from databases just because an order has been delivered! It's part of the audit history of a companies orders. Just because you don't have an "account" doesn't mean the details aren't saved anywhere!

As for payment card details the retailer doesn't usually store those. They store a representation (encrypted token) of the card which can then be validated with a 3rd party payment provider. That applies whether you use Guest checkout or have an account. In any event, this is really the least of anyones concerns. A card can be cancelled/replaced. Your identity...not so much.

"We also asked what exactly it meant by "usable payment or card details." A spokesperson said: "We don't hold full card payment details on our systems, so it's masked and not usable.""

This means that they don't store the 3 digit CVV code on the back of the card, because that is a breach of contract with the payment processor. All the other details may be stored, and have been stolen by the sounds of it.

Instead of company servers being data honeypots, customer data could be held on their own PCs, encrypted, and queried by the website when you go there. Once an order is complete, data on it, if it is retained by the store, should be moved to a system that is offline bar a basic, filtered data feed, or regularly, manually. The systems we have are still very much v.1.0, unchanged from how they were when the internet was young. Everything is on servers with generic connections to the public internet. Every flaw is a vulnerability. You can design most of this out.

Perhaps the easiest alternative is for companies to have a dedicated, branded store on Amazon or Ebay. The extra cost is less than they would be paying out to deal with a hack. Plus they can sell internationally more easily. Their website could be used just for advertising, linking to products on the Amazon/Ebay store.

We could also see more action from governments. Whether these hacks are by 'state actors' as they call them or not, they should still be hunting them down like terrorists rather than cashing in with fines on anyone who gets hacked. Governments talk tough but how many malware hackers have vanished or 'fallen downstairs'? Our governments are soft and lack competence.

Why are you assuming that Amazon and eBay aren’t going to get hacked next?