British retailer Marks & Spencer (M&S), recently hit with a cyberattack, is now reportedly facing a multimillion-pound lawsuit following the theft of customer data.
M&S is said to be still struggling to restore its systems nearly a month after the attack left its online ordering system in shambles and, in its latest website update, admitted that some customer data had been stolen in the attack, prompting a customer-wide password reset.
While M&S stressed that no payment details, bank card information, or account passwords were compromised, and that there is no indication the stolen data has been shared, concerns persist over the potential for fraud.
Since customers’ dates of birth, contact details, and online purchase histories have been accessed and could be used in phishing attacks, the company has now been hit with a class action lawsuit.
Thompsons Solicitors, a Scottish law firm, is filing a claim against M&S, accusing the company of failing to adequately protect customer data and thereby exposing shoppers to potential scams.
Senior partner Patrick McGuire told The Sunday Mail that the solicitors had been “inundated by Scots M&S clients who have been caught up in this online heist and are contacting Thompsons”.
“I think this will be the biggest data theft case we have ever been involved in,” added McGuire after accusing M&S of having “failed their customers completely.”
The crisis is costing the retailer £43 million ($57 million) in lost sales, according to analysis by Bank of America, and has wiped more than $1 billion off the company’s stock value. Now, the firm can lose even more cash.
Class action lawsuits are not uncommon in the United Kingdom. The Information Commissioner’s Office has the power to impose a fine equivalent to 2% of a company’s annual turnover if it finds that measures to protect customer data were inadequate.
But it’s unlikely to fine firms unless they’re actually at fault over a breach, and in this case, it looks like M&S hackers used employee logins from a third-party consulting firm.
It’s different in the United States. Data breach litigation in America reached unprecedented levels in 2024, with filings for class action lawsuits doubling from the previous year, data from cybersecurity platform Panaseer shows.
US organizations have paid a total of $154,557,500 in class action lawsuits related to data breaches over the last 6 months, with settlements averaging $3 million. Besides, MGM Resorts also agreed to a $45 million class action settlement in January 2025 after a hack two years earlier.
“While people – and the courts – can be understanding when a company falls victim to an attack, they’re far less forgiving when it looks like the organization failed in its duty of care around data,” said Jonathan Gill, CEO of Panaseer.
Your email address will not be published. Required fields are markedmarked