What to do if you're worried about the Co-op and Marks and Spencer hacks

Co-op and M&S have been hit with major cyberattacks in the past few weeks, causing disruption to online orders and stock availability in stores.

M&S online orders have been paused since 25 April, with no indication as to when things may return to normal.

Both retailers have also warned that some customer data was accessed by the hackers, understood to be a criminal group named 'DragonForce'.

A 'significant' amount of data from 20 million past and current Co-op members was compromised, while M&S says that some customers' contact details, dates of birth and online order histories were stolen.

Customers' passwords and useable card details were not taken from either retailer.

If you're worried about your data, read on to find out how to stay safe against ransomware scams and how to protect your information after a cyberattack.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts

How to stay safe against ransomware scams

Ransomware attacks – which both Co-op and M&S have suffered – are a type of virus that locks up your system or encrypts the files on your PC. Hackers will then hold you to ransom in order to regain access.

The National Cyber Security Centre (NCSC) has warned that the criminals launching these cyberattacks against retailers are impersonating IT helpdesks to break into the organisations' systems.

It issued guidance to organisations, urging them to review their IT helpdesk password-reset processes to reduce the chances of being hacked.

If you're worried about ransomware scams on your work or personal devices, there are some simple steps you can take to protect yourself:

• Don't download attachments you haven't been expecting or click on links that are trying to persuade you to give away personal details. You can always contact a company directly if you want to check if a message is genuine.
• Only download software and apps from a trusted source, and look for reputable software manufacturers when deciding what to download.
• Always keep your PC operating system and any downloaded apps or other software updated. This allows you to benefit from the latest security protections. 
• Windows 10 and 11 allow you to turn on a setting that protects folders from unauthorised programs such as ransomware. To turn it on, open the Windows Security app (select the shield icon from your Taskbar – if you can't see it, click Show hidden icons, which looks like ^). Scroll down, select Ransomware protection and click Controlled folder access to turn it on. Windows 10 will lose its security support later this year – you can follow our advice on the steps to take to protect your computer.
• Set up a restore point in case your device is compromised and you need to restore it from safe mode. To do this, type 'create a restore point' into your PC's search panel. Click Create a restore point and a pop-up box will appear, then click Create. Name your restore point (for example, the month and year) and click Create. Once finished, your PC will confirm and you can click Close.
• A quality antivirus – whether paid-for or free – can also provide superb anti-ransomware protection. The best antivirus on test can prevent wide-scale hijacking of your files and device. Read our guide on the best antivirus software.

Prefer 1-2-1 help from a tech expert? Find out more about Which? Tech Support – available from £4.99 a month.

How to spot scams after a cyberattack

If you're a Co-op member or M&S customer, then some of your details (such as your name and contact information) may have been compromised in the cyberattack.

M&S says there's no evidence that the stolen information has been shared, but it's still wise to be cautious with any unsolicited emails or phone calls in the coming weeks.

'You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious,' M&S operations director, Jayne Wall, has warned customers.

Email scams (or 'phishing' scams) will often purport to be from a well-known brand or retailer. But when you click on a link in the email, you'll be sent to a spoofed website where you're asked to enter your personal or financial details, which will then be in the hands of scammers.

If you suspect an email might be from a scammer, don't click on any links or download any attachments. Stay security-savvy and ensure your antivirus software is always up to date, as this will provide an extra layer of protection.

Similarly, be cautious if your bank or building society contacts you out of the blue. Do not reveal your full password, login details or account numbers. Instead, hang up and call the company it's claiming to be on a trusted number to ensure that the call was legitimate.

Remember that a bank will never ask for your Pin, or for a whole security number or password, either over the phone or via email.

You might also want to keep an eye on your bank accounts and credit file to see if new accounts have been opened in your name. If you spot anything unusual, contact your bank and Action Fraud immediately.

Although no passwords were lost in either attack, M&S is advising customers to reset their account passwords 'for extra peace of mind'.

If you've used the same email and password combination with other accounts, you might want to change this password too. We have a helpful guide on how to create secure passwords.

• Find out more: how to spot a scam

Your rights after a data breach

If a company has lost your data as a result of a breach, it must tell you without undue delay.

It should explain to you the name and contact details of its data protection officer, a description of the likely consequences of the breach and the measures it has taken to deal with it.

If your data is lost and it causes you financial damage or distress, you might be able to make a claim for compensation from the organisation that lost it.

To begin with, you should contact the organisation you believe is responsible, outlining what distress or losses you've suffered and how you expect it to compensate you. You can also take your concerns to the Information Commissioner's Office (ICO).

By law, the ICO can't award compensation or advise on the level of compensation that should be due. But its opinion can be influential in making your claim against the organisation that compromised your data.

If you can't agree on compensation with the organisation in question, you can make a claim via the small claims court.

A good piece of evidence to take to court is if the ICO agreed with you that the General Data Protection Regulation (GDPR) was indeed breached.

You can use our advice on how to make a claim in the small claims court.

• Read more: my personal data has been lost after a breach, what are my rights?

This story was first published on 8 May 2025 and updated on 13 May 2025 with the news from M&S that some customer data had been taken.