Just had this email today. How can a company this big not have better protection?!! Last time I had an email like this from another company they at least gave you a year's free Experian membership!
I am sure that you will have seen in the news that we have been dealing with a cyber incident and I wanted to write to you about what this means for you.
What has happened?
To proactively manage the incident, we immediately took steps to protect our systems and engaged leading cyber security experts. We also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with.
Unfortunately, the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared. The personal data could include contact details, date of birth and online order history. However, importantly, the data does not include useable card or payment details, and it also does not include any account passwords. For more detail, see our FAQs.
How does this affect me and what should I do?
You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious. Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.
For more information, FAQs and hints and tips on how to stay safe online visit corporate.marksandspencer.com/cyber-update
To give you extra peace of mind, next time you visit or login to your M&S.com account on our website or app, you will also be prompted to reset your password.
We sincerely apologise for any inconvenience caused to you and all of our customers.
I am sure that you will have seen in the news that we have been dealing with a cyber incident and I wanted to write to you about what this means for you.
What has happened?
To proactively manage the incident, we immediately took steps to protect our systems and engaged leading cyber security experts. We also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with.
Unfortunately, the nature of the incident means that some personal customer data has been taken, but there is no evidence that it has been shared. The personal data could include contact details, date of birth and online order history. However, importantly, the data does not include useable card or payment details, and it also does not include any account passwords. For more detail, see our FAQs.
How does this affect me and what should I do?
You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious. Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.
For more information, FAQs and hints and tips on how to stay safe online visit corporate.marksandspencer.com/cyber-update
To give you extra peace of mind, next time you visit or login to your M&S.com account on our website or app, you will also be prompted to reset your password.
We sincerely apologise for any inconvenience caused to you and all of our customers.
They are clearly swamped with this.
I've just set up an experian identity plus account which notifies you if any details are used. And asked M&S to refund me the monthly cost 
Apparently some people are thinking of lawsuits for compensation on various grounds but that sounds like hassle. I'll just protect my ID.
