Advice On M&S Data Breach Claims

In April 2025, British retailer Marks and Spencer was hit by a major cyber attack that brought chaos to both their online business as well in in-store services. We’ve created this guide to M&S data breach claims to inform anyone affected by this incident about their eligibility to seek compensation.

Important areas covered by this page include what a data breach is, how this particular data breach unfolded and the role of the Information Commissioner’s Office (ICO), Britain’s independent regulator for information rights, in protecting your personal information.

We also examine how potential compensation amounts are determined in these claims, with a table containing some guideline payout figures. At the end of this guide, we explore the No Win No Fee contract offered by our panel of solicitors.

For help making a claim if you’ve been impacted by the Marks and Spencer data breach, contact our advisors using the details given here:

• • Call us on 020 8050 6279.
  • You can also contact us online by completing a callback form.
  • Use the chat function on your screen now.

Select A Section

1. What Data Breach Claims Can Help You With Following The M&S Data Breach
2. How Did The Marks And Spencer’s Data Breach Happen?
3. How Many People Were Impacted By The M&S Data Breach? 
4. What Types Of Data Were Stolen?
5. How Can I Know If My Data Was Part Of The Breach?
6. If My Data Was Involved, Should I Report It To The ICO?
7. Can I Claim M&S Data Breach Compensation?
8. The Amount Of Compensation I Could Get
9. Get Advice From Data Breach Claims
10. Learn More

What Data Breach Claims Can Help You With Following The M&S Data Breach

Data breach claims can potentially help anyone following the M&S data breach if they were affected by this major security breach. The ICO define a personal data breach as a security incident that results in:

• The loss,
• Unlawful or accidental destruction,
• Access to,
• Alteration or,
• Unauthorised disclosure of, personal data.

Before we get into the eligibility requirements, there are 3 relevant parties you need to be aware of regarding personal data breaches. These are:

• The data controller: This is the organisation that decides when, why and how personal data is to be collected, stored and processed. For the purposes of our guide, the data controller is Marks & Spencer.
• The data processor: data controller may contract the processing of data to external partners, called data processors. Some data controllers may not use such services and do the processing themselves.
• The data subject: the living individuals to whom the personal data relates. So if you were impacted by the M&S data breach, you are the data subject in this instance.

Data controllers and processors have obligations under the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR). Failures to comply with obligations under these laws can lead to personal data breaches. 

The following conditions must apply in M&S data breach claims:

1. The data controller or processor failed to meet the standards set out by the UK GDPR and DPA.
2. These failures resulted in a data breach that affected your personal data.
3. You suffered financial harm, psychological injury, or both, as a result of your personal data being adversely affected. 

To get your free eligibility assessment, get in touch with our advisors today.

How Did The Marks And Spencer’s Data Breach Happen?

A ransomware attack by a group called ScatteredSpider brought down M&S systems, including their online retail services. An email was also sent to the M&S CEO demanding payment in exchange for the removal of the software. It also later became apparent that the personal data of customers had been stolen.

A recent update from M&S confirmed that no account passwords or usable payment details were exposed. If you personal data was affected by this incident and you would like to know more about seeking compensation, get in touch with our team today.

Sources:

• https://www.bbc.co.uk/news/articles/cr58pqjlnjlo
• https://corporate.marksandspencer.com/cyber-update

How Many People Were Impacted By The M&S Data Breach? 

At the time of writing, we are unaware of the number of people impacted by the Marks and Spencer’s Data breach, as this information has not been disclosed.  We know that stores across the country as well as the M&S website were targeted, causing larg scale impacts to both the supplies of goods in stores as well the ability to process payments.

Source: https://www.bbc.co.uk/news/articles/c0el31nqnpvo

What Types Of Data Were Stolen?

Reporting from The Guardian states that personal data such as names, addresses and order histories were accessed, but the compromised systems contained no payment card information or passwords as these details were not held.

Per the ICO, personal data is any information that can be used to identify living individuals through direct and indirect means.This includes information such as names and addresses, but also contact details and information from bank and credit cards. M&S say that no payment information was affected by this retail data breach.

Source: https://www.theguardian.com/business/2025/may/13/m-and-s-personal-data-cyber-attack-marks-spencer-card-passwords

How Can I Know If My Data Was Part Of The Breach?

You can know if your personal was part of the breach by checking the correspondence from M&S concerning what happened. If the rights and freedoms of data subjects have been put at risk, then as a data controller, M&S are obligated to inform those affected without undue delay, and report the breach to the ICO within 72 hours.

If you have not received a data breach notification letter but have concerns about how your personal data is being handled or want to know more about what is being done to protect your personal information, you can write to the data controller and ask them to address your concerns.

If My Data Was Involved, Should I Report It To The ICO?

If your data was involved, it is not required that you report the matter to the ICO yourself, although you are entitled to do so. The data controller should have made the report within 72 hours if the rights and freedoms of the data subjects have been impacted.

If you have written to the data controller with your concerns, and receive either an unsatisfactory response or no response at all, then you can complain to the ICO yourself. Again, making a report personally is not required in order to claim compensation. However, any findings from the ICO investigation can be used as part of your evidence. 

Can I Claim M&S Data Breach Compensation?

You could claim M&S data breach compensation if you meet the eligibility requirements we discussed above and can provide supporting evidence. Any proof you gather should not only show that the data controller failed to keep your personal information safe, but also highlight the extent of the harm caused.

Examples can include:

• The data breach notification letter from M&S informing you that your personal data was impacted by the recent security incident.
• Proof of financial losses.
• Medical records showing a formal diagnosis of a psychiatric condition.

One of our solicitors could help you with collecting evidence. To find out if you’re eligible to work with us, call the number below for a free eligibility check today.

The Amount Of Compensation I Could Get

The amount of compensation you could get depends on how the personal data breach impacted you. Data breach compensation is paid for two different types of damage, material and non-material. What this means is:

• Financial losses resulting from a personal data breach are called material damage. We’ll explore this in more detail below.
• The psychological distress caused is known as non-material damage.

Calculations for non-material damage compensation are done by using the Judicial College Guidelines alongside your medical evidence. The JCG is a publication setting out guideline compensation brackets for a large array of injuries. We have used the psychiatric harm brackets, apart from the first entry, in the table here.

Compensation Table

Please note that this information has been provided to act as guidance only.

Type of Injury	Severity	Guideline Payout Figure	Notes
Very Serious Psychiatric Harm with Non-material Damage	Very Serious	Up to £500,000 +	Very serious psychological effects as well as significant financial harm.
General Psychiatric Harm	Severe (a)	£66,920 to £141,240	Marked problems regarding ability to cope with employment, personal relationships and education. A very poor prognosis.
	Moderately Severe (b)	£23,270 to £66,920	While the prognosis is much more optimistic, the affected person will still be experiencing significant impacts for the foreseeable future.
	Moderate (c)	£7,150 to £23,270	A good prognosis following a marked improvement in the affected person's condition.
	Less Severe (d)	£1,880 to £7,150	Impacts on sleep patterns, daily tasks and the length of disability period are considered in this bracket.
Post-Traumatic Stress Disorder	Severe (a)	£73,050 to £122,850	Permanent effects across all aspects of life preventing anything close to the pre-trauma functionality.
	Moderately Severe (d)	£28,250 to £73,050	Significant disability despite a more optimistic prognosis.
	Moderate (c)	£9,980 to £28,250	Large scale recovery with no gross disablement.
	Less Severe (d)	£4,820 to £9,980	Recovery within 2 years, with only minor symptoms persisting any longer.

Can I Claim For Any Financial Losses That Have Occurred?

Certain financial losses that have occurred due to a personal data breach may be reimbursed as part of your compensation. If you have experienced material damage due to the M&S data breach, then our panel could help ensure you receive payment for this.

Examples of material damage due to personal data breaches include:

• A loss of earnings due to time taken off work to recover from psychological distress.
• Medical costs relating to that distress including prescriptions, counselling and therapy sessions.
• The cost of security installations, or even relocation, if your address was compromised and your safety is now at risk.

Make sure you have copies of any documents, such as your payslips, prescriptions and receipts for any purchases so you can prove what losses have been incurred. For further help in your particular circumstances, get in touch with our advisors today using the details provided below.

Get Advice From Data Breach Claims

You can get free advice from the advisory team at any time using the contact information given below. As well as answering your questions, our advisors can assess your eligibility to claim for free. If eligible, you could be connected with a specialist data breach solicitor on our panel.

Eligible claimants will be offered legal representation strictly using a No Win No Fee service under a type of contract known as a Conditional Fee Agreement (CFA). The CFA protects claimants from solicitor fees at the start of and during the claims process. You will also not pay any solicitor fees if the claim fails.

That fee is only taken if the claim is won. Known as a success fee, this is taken from your compensation by the solicitor before they send the rest to you. The Conditional Fee Agreements Order 2013 caps the percentage that can be charged as a success fee at 25%, so most of the compensation is yours to keep.

Contact Our Advisors

For more advice about making a claim if the Marks and Spencer data breach have impacted you, contact our advisors using the details given here:

• • Call us on 020 8050 6279.
  • You can also contact us online by completing a callback form.
  • Use the chat function on your screen now.

Learn More

Read about claiming for other types of personal data breach by clicking below:

• Read our guide to banking data breach claims on our website.
• Find out more about claiming for a local authority data breach here.
• Learn more about claiming for a credit score data breach with this guide.

We have also included these external resources for additional information:

• The government have released their 5 top tips stay safe online which you can read on this page.
• Access mental health services from the NHS if you have suffered psychiatric harm due to a personal data breach.
• Learn more about the work of the National Cyber Security Centre here.

We hope this guide to M&S data breach claims was helpful. If your personal data has been compromised by the recent cyber attack on Marks & Spencer and would like to know if you could be eligible to claim compensation, get in touch with us today using the contact details provided above.