M&S disclosed this week that an error on its Web site transferred customers to a "dump file" containing two system passwords when they clicked on one of the site's links. But the retailer denied that the passwords would have allowed hackers easy access to M&S systems.
"The file gave details of two out of five systems passwords," M&S said. "A hacker would not have got far with them. You have to use the passwords in the right sequence in the right areas. Even with the passwords you still have to negotiate around firewalls."
M&S uses the dump files to record the movements of visitors to its sites. The files contain an encrypted copy of each customer's password in addition to the two system passwords and details of their activity on the site.
The retailer said it fixed the problem within hours of it being detected by automatic monitoring software. It has called in consultants to ensure that the problem is not repeated.