Over 1,000 Scots Take Legal Action Against Marks & Spencer Following Cyber Breach
In a significant escalation following a major cyber attack, more than 1,000 individuals in Scotland have joined a collective legal action against Marks & Spencer (M&S), according to reports from Thompsons Solicitors. The firm is spearheading a class action lawsuit in response to a data breach that transpired in April, which resulted in the theft of personal data belonging to millions of customers by cybercriminals.
This lawsuit provides a collaborative avenue for affected parties to pursue compensation, contrasting with the cumbersome process of individual claims. In acknowledging the breach, M&S has attributed the incident to “human error,” estimating that the financial repercussions for the company could reach approximately £300 million.
Simultaneously, Co-Op Group was also targeted in a ransomware attack, suggesting a wider, coordinated assault by cybercriminals on retail entities. The breached data includes names, email addresses, postal addresses, and dates of birth. While there was no exposure of passwords or financial information, experts caution that such personal details can facilitate identity theft and enhance phishing schemes.
Patrick McGuire, senior partner at Thompsons, stated that the legal proceedings are in their preliminary stages, yet the number of claimants is rapidly increasing. He emphasized the frustration felt by M&S customers regarding the handling of the breach and the company’s apparent disregard for the incident’s seriousness. He noted that unless M&S can provide definitive proof of their non-involvement in the breach, they may be legally obligated to provide compensation.
Thompsons Solicitors has previously represented clients in other data breach cases, including those involving Arnold Clark and the University of the West of Scotland, highlighting its expertise in this domain. According to the UK Government’s Cyber Security Breaches Survey 2025, 43% of businesses reported experiencing at least one cyber-related incident in the past year. With ransomware attacks on the rise, this incident underscores the critical need for businesses to bolster their cybersecurity infrastructures.
In line with the MITRE ATT&CK framework, tactics such as initial access and privilege escalation could have been involved in the recent attack. Attackers might have exploited a vulnerability or used social engineering techniques to gain access. The disclosed personal data, while not financially sensitive, poses a significant risk for identity fraud and online scams.
In a statement, M&S has asserted that they swiftly notified regulators about the incident and remain in close communication regarding ongoing investigations. A company representative clarified that they informed customers as soon as possible, emphasizing that no usable payment details were compromised. Stuart Machin, the CEO of M&S, conveyed optimism about restoring full online operations within weeks, signalling the company’s intent to recover and protect its consumer base.
Additionally, customers have been warned to be vigilant in the wake of this breach. Reports indicate that scammers are already using the situation to deploy phishing schemes, including fraudulent emails offering gifts in exchange for personal information. Experts advise individuals to scrutinize email senders and verify the legitimacy of requests before sharing any sensitive data.
In summary, as Marks & Spencer navigates the fallout from this cyber incident, the overarching implications for data security and consumer trust within the retail sector are considerable. This incident serves as a stark reminder to businesses of all sizes regarding the importance of robust cybersecurity measures and proactive incident response strategies.
