Marks & Spencer has warned its staff that some of their personal data were stolen in a cyber attack last month that has crippled the high street retailer.

Sources said bosses had told staff they believed email addresses and full names had been taken as part of the hack, which has forced M&S to halt online ordering for almost a month.

It comes after the high street stalwart this week warned customers to beware of scam calls and emails after admitting their data may have been breached as part of the heist.

It wrote to millions of its customers to tell them that details including contact information, dates of birth and order histories, as well as “masked” credit card information, may have been taken.

M&S has not confirmed how many customers it believes were affected. It is understood it informed shoppers and staff of the data leaks as soon as it was able to do so.

Jayne Wall, the M&S operations director, told customers this week: “Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password.

“Importantly, the data does not include useable card or payment details, and it also does not include any account passwords.”

Back to manual systems

M&S staff have been forced to revert to manual systems with swathes of the retailer’s technology not working. Shelves have been left empty as it has struggled to manage its inventory and it has implemented a hiring freeze.

The hack has wiped almost £1bn from M&S’s market valuation and is believed to be costing the retailer tens of millions of pounds in lost sales every week. The FTSE 100 business will present its full-year results on May 21.

Meanwhile, Co-op this week said its systems were returning to normal after weeks attempting to recover from the cyber attack launched against it. The supermarket was forced to take large parts of its IT systems offline after it was targeted by hackers. They have also admitted that customer data was stolen in the breach.

The BBC reported that the Co-op’s security team had “yanked the plug” when they discovered they were being hacked, shutting down their IT but preventing further damage.

A spokesman for the Co-op said this week: “Following the malicious third-party cyber-attack, we took early and decisive action to restrict access to our systems in order to protect our Co-op.

“We are now in the recovery phase and are taking steps to bring our systems gradually back online in a safe and controlled manner.”

The hack comes amid a cyber crime spree against British retailers. The attacks have been blamed on a hacking “cartel”, known as Dragonforce, which uses ransomware, a type of virus designed to lock down IT systems, before demanding payment to release them.

The series of cyber crimes have also been linked to a group known as Scattered Spider, believed to be made up of teenagers from Britain and America.