Marks & Spencer is reportedly facing a multimillion-pound lawsuit over the theft of customer data following the cyber attack that has impacted the retailer for a month.
M&S faces lawsuit following cyber attack data leak
Sophie Smith
20 May 2025
It confirmed last week that hackers had stolen customer data, such as names, email addresses, postal addresses and dates of birth.
Chief Executive Stuart Machin said the data had been accessed due to the "sophisticated nature of the incident", but stressed it does not include payment and card details or account passwords, which M&S said it does not hold on its systems.
However, Thompsons Solicitors is now launching a class action claim against M&S for exposing shoppers to the threat of scams by not protecting their data, according to The Sunday Mail.
Senior Partner at Thompsons Solicitors, Patrick McGuire, said the firm had been "inundated by Scots M&S clients who have been caught up in this online heist and are contacting Thompsons".
"We have a situation here where one of the most famous retailers in the UK has allowed criminals to pillage the personal details of hundreds of thousands of Scottish customers," he added.
"I think this will be the biggest data theft case we have ever been involved in."
Investors will be hoping that Marks & Spencer can shed light tomorrow on the impact of the damaging cyber attack which has halted all online orders at the retail giant.
The company will unveil its financial performance for the past year in an update to the stock market on Wednesday.
However, attention will be sharply focused on how the company is coping after weeks of disruption.
It is a month since the retailer was first impacted by a major "cyber incident", reported to be linked to hacking group Scattered Spider.
The company has paused online orders for the past three weeks as a result, while payments and click and collect orders were also impacted.
M&S saw availability in stores also knocked by the disruption, causing some empty shelves as it changed parts of its IT systems, but said this was recovering quickly in an update last Thursday. Its stores have remained open, and availability is "now in a much more normal place with stores well stocked this week".
The retailer has not yet divulged the financial cost of the incident, but is believed to have missed out on tens of millions of pounds in sales.
Analysts have said shareholders will be eagerly awaiting the firm’s guidance on profits and revenues for the current year as a result.
Analysts at Barclays have suggested the cyber attack could result in a £200 million cost for the 2025/26 financial year but that this is likely to be offset by an insurance payout of around £100 million.
The attack knocked the business after a positive period under the leadership of Stuart Machin, with shares striking an almost nine-year-high last month before a recent drop in value.
