Over 1,000 join legal action against M&S after major customer data breach

More than 1,000 Scots have joined legal action against Marks & Spencer following a major cyber attack that compromised customer data, according to lawyers.

Thompsons Solicitors said it is launching a class action lawsuit against the retail giant after a catastrophic data breach in April that saw personal details belonging to millions of customers stolen by cyber criminals.

The action allows affected individuals to seek compensation collectively, rather than through individual claims.

M&S has since admitted that the incident was the result of “human error” and said the fallout is expected to cost the company around £300m.

At the same time, the Co-Op Group was also targeted in a ransomware attack – believed to be part of a wider coordinated operation by criminals.

The stolen information included names, email addresses, postal addresses, and dates of birth. Although no passwords or financial information were taken, experts warn that this kind of data could be used to commit identity fraud or enhance phishing scams.

STV News

Thompsons senior partner Patrick McGuire said the legal action is still in its early “onboarding” stages, but the number of claimants continues to grow rapidly.

“More and more people have approached us,” he told STV News.

“What that shows is how strongly Marks customers feel about that incident. They are upset, distressed and angry at the way the company treated them, the way it’s been almost brushed under the carpet.

“Unless M&S can show they had absolutely nothing to do with the loss, that they could’ve done nothing else to prevent the loss from happening, they are liable in law to pay compensation.

“That’s clearly the case in this incident; they did not do enough, they did not have robust enough systems, they are legally responsible.”

Thompsons has previously represented clients in other data breach cases involving organisations such as Arnold Clark and the University of the West of Scotland.

iStock

According to the UK Government’s Cyber Security Breaches Survey 2025, 43% of businesses reported experiencing at least one cyberattack or breach in the past year. The prevalence of ransomware attacks has also increased significantly, with an estimated 1% of all UK businesses – roughly 19,000 firms – affected in 2025, up from less than 0.5% in 2024.

Mr McGuire said the trend should serve as a warning for all companies holding personal data.

“The legislation is perfectly clear; the people who hold our data have a very heavy burden to protect that data. When that doesn’t happen, they are just as responsible in law as the hackers for injury, upset, and distress caused by that data loss,” he said.

“Marks & Spencer legally have nowhere to hide. I hope that means they will come to the table quickly and do the right thing, and pay their loyal customers compensation to which they’re entitled.”

A spokesperson for Marks & Spencer said it has not yet received any group litigation claims.

The company also notified regulators soon after discovering the cyber incident and said it continued to work closely with them.

A spokesperson said: “We wrote to our customers as soon as we could in relation to their personal data, making clear that no useable card or payment details or account passwords had been extracted during the cyber incident, and that there was no evidence that any customer data had been shared, which we continue to monitor and remains the case.”

Last week, the boss of Marks & Spencer said he hoped its online operations would be running “fully” within four weeks as it continues to recover from the damaging cyber attack.

Stuart Machin told the retailer’s annual general meeting: “I have previously highlighted that it would take all of June and all of July, maybe into August but definitely by July.

“During the incident we chose to shut things down because we didn’t want the risk of things going wrong.

“Currently, half of online is open but not areas like click and collect. Within the next four weeks we are hoping for the whole of online to be fully on.

“Then our focus will be getting the Donington site back and running. We’re hoping that by August we will have the vast majority of this behind us and people can see the true M&S.”

People warned to watch out for scam emails following cyber attack on M&S

M&S has sent gift cards to some customers but scammers are also sending fraudulent emails offering afternoon tea hampers if you complete a survey.

Consumer experts have warned to be suspicious of emails that come out of the blue.

“Check the email address it’s sent from to see if it ends in ‘marksandspencer.com’ before clicking on any links and if you are still in doubt, contact M&S directly to verify if it’s legitimate,” said Lisa Webb, a consumer law expert at Which?

Dave Excell, founder of Featurespace, said: “Scammers have a wide range of tools in their armoury to make digital communications as convincing as possible, and button generation using embedded links that take the victim to another site are one such example.”

“Financial providers must continue to invest in technology such as AI to identify and prevent fraud in real-time, enabling banks to effectively work alongside their customers to help spot scams before it’s too late,” Mr Excell said.

Follow STV News on WhatsApp

Scan the QR code on your mobile device for all the latest news from around the country