Millions of email addresses belonging to British shoppers have been stolen by criminal hackers.
Marks & Spencer yesterday sent warning messages to many online customers who have supplied the store with email addresses.
Britons who use Play.com and TripAdvisor have also been sent similar warnings.
Target: M&S bosses have warned customers of an email security breach
Victims of the theft risk being targeted in spam and phishing scams. This could result in them logging on to bogus websites set up by criminal gangs.
Once on these websites, it is feared that personal information, including passwords and bank details, could be stolen.
There is also a danger that bugs and malicious spy software could be downloaded to victims’ home computers.
The alerts raise serious questions about security systems operated by major internet brands and their technology partners.
They will also shake consumers’ trust in online shopping – and could encourage shoppers to move back to the High Street.
The M&S security failure relates to a U.S. email company, Epsilon, which has been targeted in what has been called the ‘biggest data breach ever’.
Epsilon, one of the largest email marketing companies in the world, sends more than 40billion emails annually on behalf of more than 2,500 clients.
High profile: The high street store's summer advertising campaign features TV personalities Lisa Snowdon and Twiggy alongside singer Dannii Minogue
The unrelated thefts involving M&S, Play.com and TripAdvisor reflect a growing and lucrative black market in personal email addresses.
M&S sent an email to customers yesterday, warning: ‘We have been informed by Epsilon, a company we use to send emails to our customers, that some M&S customer email addresses have been accessed without authorisation.
‘We wanted to bring this to your attention as it is possible that you may receive spam email messages as a result.
‘We apologise for any inconvenience this may cause you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.’
M&S stressed that the theft was limited to names and email addresses, rather than other personal information and account details.
Breach: Hackers stole email addresses belong to Marks & Spencer customer
However, this is all that criminals need to launch targeted and personalised spam attacks, known as spear phishing.
Britain’s biggest retailer, Tesco, also uses Epsilon. However it categorically denied that its customer details have been hacked.
In December, the computers of U.S. company Silverpop were broken into. It provides email services to Play.com, which sells CDs, DVDs, books and gadgets online.
But Play.com alerted customers to the risk only last week, after it emerged that spear phishing emails have been sent out.
Internet security expert Dr Stefan Fafinski, of the University of Leeds, was caught up in the Play.com theft.
He said: ‘Spammers will have a list of good, known and verifiable email addresses that comes straight out of M&S. Once they have names as well as email addresses, the spammers can personalise the emails they send out to look much more like a genuine company communication.
‘People who open these emails may then follow a link to what looks like an official website.
‘They may be asked to update their billing information, credit card details, the three-digit security code, maybe their mother’s maiden name or the answer to a personal security question.
‘That gives them all the information they would need to steal the identity of the customer and access their accounts.’
He said spam email often comes with attachments which, if opened, can download malicious software. This is something these big data-holding organisations will be very worried about and they will be spending a lot of time trying to close any gaps in security.
He added: ‘Trust is key to shopping online. Clearly that is very badly shaken when you have an event like this.’
M&S refused to say how many email addresses have been stolen. A spokesman said: ‘For commercial reasons we would not disclose the number of customers we hold on our marketing database – but as a precaution we have contacted customers to alert them.’
Following the hacking at TripAdvisor, the travel advice website, its co-founder Steve Kaufer said: ‘Unfortunately, this sort of data theft is becoming more common and we take it extremely seriously.’
