Update: 3.30pm, 28 October 2015: M&S confirms that around 800 customers had some of their account information shared with others shopping at the same time. These people will be emailed today and apologised to.
Marks & Spencer (M&S) had to suspend its retail website for two hours last night after a technical problem meant customers were able to see other people's details when they logged in to their accounts.
Customers told of their shock at being able to see other people's orders, with some claiming they could see card details, names, telephone numbers, addresses, email addresses and dates of birth.
M&S wouldn't tell us how many customers were able to see others' information, but says the main details exposed were contact information such as email addresses and delivery addresses.
It adds that no passwords were viewed, or "full financial information", which M&S says is encrypted. However, a spokeswoman admits that customers may have been able to see the last four digits of another person's payment card "for a brief moment".
The spokeswoman adds: "There were no financial details compromised at all. We weren't hacked by a third party. It was an internal technical problem.
"We temporarily suspended our website last night. This allowed us to thoroughly investigate and resolve the issue and quickly restore service for our customers. We apologise to customers for any inconvenience caused."
The issue only affected the marksandspencer.com retail website, and did not impact the separate M&S Bank website.
The news comes as only last week TalkTalk was hit by a data hack, while earlier this month MoneySavingExpert.com also revealed how a Halifax and Bank of Scotland online security flaw meant balances and transactions were left exposed for others to view. See our 30 Ways to Stop Scams guide to protect yourself.
Get Our Free Money Tips Email!
I've got an M&S account. Do I need to do anything?
M&S says financial details haven't been compromised, however to be on the safe side, consider taking the following steps to protect yourself:
- Check your bank or credit card account for fraud. Monitor the account registered with M&S over the next few months. If you see anything unusual, contact your bank or credit card provider immediately, and Action Fraud on 0300 123 2040 or via www.actionfraud.police.uk as soon as possible.
- Check your credit file in case anyone's stolen your ID. The credit reference agencies can tell you if anyone's tried to open accounts in your name. Check for free – see our Credit Report guide.
- Change your passwords. It's best practice to change passwords every now and then, so use this as an opportunity to do so on your M&S account. If you use the same or a similar password elsewhere, change these too – see Martin's Easy Password Tricks blog for passwords help.
- Don't disclose your data – cold calls/emails are a scam. If you're contacted by anyone asking you for personal data or passwords (such as for your bank account), it's more than likely to be a scam. M&S says it will never phone, email or write to customers asking for bank account information or passwords. See our 30 Ways to Stop Scams guide.
Is the issue being investigated?
The Information Commissioner's Office, which looks after information rights, says it's aware of the M&S incident and is making enquiries into it. It hasn't however launched a full blown investigation at this stage.
M&S customer reports
Here's a selection of some of the tweets we've seen from affected customers:
— MAAB (@madasabox61) October 27, 2015
— DPE (@daveblueegan) October 27, 2015
@marksandspencer other people's shopping in my basket of several thousand pounds!!!! Sort this immediately. Security?!?!?! Can't order.— blondebonce (@blondebonce) October 27, 2015
@marksandspencer Trying contact your customer service team. I can view other people's CC details on my account!!!!— Ste Whitfield (@SteWhitfield) October 27, 2015
@marksandspencer Tried to access my M&S account tonight, and got someone else's details. Now the site has gone down. Is there a problem?— Julia Griffiths (@julia_griff) October 27, 2015
Additional reporting by the Press Association.