The Office of the Privacy Commissioner for Personal Data (PCPD) has confirmed to HKFP that Marks and Spencer (M&S) Hong Kong has not informed it of a recent customer data leak, nor responded to its enquiries.

Marks & Spencer Food Store
A Marks & Spencer Food Store in Wan Chai, Hong Kong. File photo: Wikimedia Commons.

In a notice to local customers this month, the British retailer said that “contact details – such as name, email address, addresses, telephone number – date of birth, online order history, ‘masked’ payment card details used for online purchases” may have been breached in a cyber heist last month.

There is no evidence that the data has been shared, and passwords and card or payment details were not stolen, it added.

M&S UK is reportedly being targeted by a ransomware gang that steals confidential data and scrambles it in the hope of extorting a ransom. According to the BBC, a loosely run group called Scattered Spider is using malicious software from a gang called DragonForce.

The PCPD – a statutory body which enforces the Personal Data Ordinance – told HKFP on April 30, on Wednesday last week, and again on Monday that M&S have been unresponsive.

The PCPD “has not received any data breach notification from the relevant organisation. The PCPD has commenced a compliance check on 30 April 2025 in accordance with established procedures and is yet to receive a response from the organisation,” the office said.

PCPD Office of the Privacy Commissioner for Personal Data
The Office of the Privacy Commissioner for Personal Data. File photo: Peter Lee/HKFP.

Those who log into the app have been greeted with an “under maintenance” notice for weeks.

It is unclear if customer data was stored locally by M&S, but the PCPD recommends that Hong Kong entities contact them following a breach.

Hong Kong stores are operated by Emirati conglomerate Al-Futtaim.

When asked about when the data breach occurred, when they became aware of the breach, and when customers were notified, Al-Futtaim did not respond on record on Monday.

Al-Futtaim were also unclear as to where local customer data was held, telling HKFP only that M&S Hong Kong’s database was separate to M&S UK’s systems: “At this time, there is no evidence to suggest that M&S Hong Kong’s database has been impacted by the incident reported in the UK.”

According to The Guardian, analysts at Barclays believe the incident could have cost the firm £200 million (HK$2.08 billion), though half could be recouped in an insurance payout.

Meanwhile, the attack has wiped £1.1bn (HK$11.46 billion) from M&S’ market value. The company’s annual results will be announced on Wednesday.

members promo splash

Support HKFP  |  Policies & Ethics  |  Error/typo?  |  Contact Us  |  Newsletter  | Transparency & Annual Report | Apps

Safeguard press freedom; keep HKFP free for all readers by supporting our team

HK$
HK$

Members of HK$150/month unlock 8 benefits: An HKFP deer keyring or tote; exclusive Tim Hamlett columns; feature previews; merch drops/discounts; "behind the scenes" insights; a chance to join newsroom Q&As, early access to our Annual/Transparency Report & all third-party banner ads disabled.

The Trust Project HKFP
Journalist Trust Initiative HKFP
Society of Publishers in Asia
International Press Institute
Oxfam Living Wage Employer
Google Play hkfp
hkfp app Apple
hkfp payment methods
YouTube video
YouTube video

Tom founded Hong Kong Free Press in 2015 as the city's first crowdfunded newspaper. He has a BA in Communications and New Media from Leeds University and an MA in Journalism from the University of Hong Kong. He previously founded an NGO advocating for domestic worker rights, and has contributed to the BBC, Deutsche Welle, Al-Jazeera and others.

Tom leads HKFP – raising funds, managing the team and navigating risk – whilst regularly speaking on press freedom, ethics and media funding at industry events, schools and conferences around the world.