Marks & Spencer Data Breach: Legal Implications

14 May 2025

In a significant cybersecurity incident, Marks & Spencer (M&S) has confirmed that a cyberattack compromised some customer personal data, leading to widespread disruptions in its online operations. The breach, attributed to the hacking group Scattered Spider, has raised serious concerns about data protection and the retailer’s compliance with UK data privacy laws.

What Happened?

On 25th April 2025 M&S experienced a cyberattack that halted all online and app-based orders, impacting in-store product availability and services like click-and-collect.

Following this cyber incident, M&S have released a statement confirming that the compromised data includes customer names, addresses, and order histories. Fortunately, M&S have stated that no payment card details and account passwords were not affected and that there is no evidence the stolen data has been shared publicly. Nevertheless, this incident highlights the importance of having robust data security policies and procedures in place.

Legal Implications

Under the UK’s Data Protection Act 2018 (which implemented the UK GDPR) organisations are required to implement ‘appropriate technical and organisational security measures’ to safeguard personal data. The Information Commissioner’s Office (ICO) has been notified and is coordinating with the National Cyber Security Centre to assess the breach’s impact and ensure that M&S is in compliance with its data protection obligations.

Organisations found in breach of UK data protection laws may face significant penalties, including fines of up to £17.5 million or 4% of annual global turnover, whichever is higher. If the ICO choose to investigate, it will determine whether M&S’ data protection measures were adequate and if any remedial actions are necessary.

Berry Smith Comment

The M&S data breach underscores the critical importance of robust cybersecurity measures in protecting customer data. Businesses must remain vigilant and ensure compliance with data protection laws to prevent such incidents and mitigate their impact should they occur.

It is also essential that businesses take a proactive approach to data protection, ensuring that they are compliant with the UK GDPR, or they may face significant sanctions. This includes making sure that you have robust privacy policies and data security policies and that these are regularly reviewed and updated to ensure compliance.

For more information on ensuring that your business is compliant with UK data protection legislation, contact our Commercial Team at Berry Smith.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.