This year, Marks and Spencer (M&S) suffered a data breach following a cyber-attack. Customer data was impacted as a result.
You may be wondering when it could be possible to claim Marks and Spencer data breach compensation following the incident. In this guide, we’ll explore the criteria for making a personal data breach claim, including important definitions and explaining the roles of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) in protecting the personal data of UK residents.
Our guide will also explore the data breach in further detail, and explain how it occurred, and how to find out if you’ve been affected. Following this, we will discuss how a personal data breach could impact you.
Finally, we will explain what a No Win No Fee agreement is and how working with a No Win No Fee solicitor could benefit your claim. To learn more about what you can do following the Marks and Spencer data breach and compensation claims, contact our team today:
- Call our advisors on 020 8050 3051
- Use the live chat feature for instant support
- Contact us online
Browse Our Guide
- When Can You Claim Marks And Spencer Data Breach Compensation?
- What Led To The M&S Data Breach Happening?
- How To Find Out If You’re Impacted By The Marks And Spencer Data Breach
- How Much Compensation Could You Receive For The Marks And Spencer Data Breach?
- Make A No Win No Fee Claim For Marks And Spencer Data Breach Compensation
- Read More About Claiming Data Breach Compensation
When Can You Claim Marks And Spencer Data Breach Compensation?
Before we discuss when you could claim Marks and Spencer data breach compensation in relation to the incident, let’s explore what a personal data breach is.
Personal data is any information that could identify you as a living person; this can range from your email address to your passport information. The personal data of all UK residents is protected by the UK GDPR and the DPA.
A personal data breach occurs when a security incident compromises your personal data’s integrity, availability, or confidentiality. This definition is used by the Information Commissioner’s Office (ICO), which is an independent data protection watchdog.
In order to make a claim for a personal data breach, you must be able to prove that:
- The breach is the result of wrongful conduct
- It affects your personal data
- It has caused you mental or financial harm
Wrongful conduct occurs when a data controller or data processor does not fulfil their responsibilities as set out by the UK GDPR and the DPA. A data controller decides how and why they will use your data; a data processor then processes it on their behalf.
To get more information on the Marks and Spencer data breach and compensation claims as a whole, get in touch with our team of advisors today.
What Led To The M&S Data Breach Happening?
Marks & Spencer recently experienced a data breach believed to be caused by a ransomware attack. Although full details have not been officially released, reports from the BBC suggest a hacking group called Scattered Spider may be behind the incident. This group is known to use a cybercrime tool called DragonForce, which is offered as a service to criminal affiliates.
Scattered Spider and DragonForce have also been linked to recent attacks on other high-profile UK brands such as Co-op and Harrods. The Information Commissioner’s Office (ICO), the UK’s data protection authority, reported that ransomware accounted for 6% of all data security complaints in 2024.
If you’re worried about how this may affect you, keep reading to learn more or contact our team directly for support with an M&S data breach compensation claim.
How Many People Were Affected by the M&S Data Breach?
At this stage, Marks & Spencer has not confirmed how many people were affected by the breach. That means the full impact is still unclear.
However, if your personal data was compromised and you’ve suffered either emotional distress or financial loss as a result, you may be eligible to claim compensation.
Whatever your concern, our team is here to help. Contact us for personalised advice or continue reading to find out what types of personal data may have been accessed.
What Data Was Impacted in the Breach?
Marks & Spencer has confirmed that certain customer information was accessed during the breach. This may include:
- Full name
- Date of birth
- Email address and phone number
- Postal address
- Online order history
The retailer has also stated that no payment card details or account passwords were affected.
If you believe your information was involved and this has caused you harm, either psychologically or financially, our experienced team can help you make an M&S data breach compensation claim.
How To Find Out If You’re Impacted By The Marks And Spencer Data Breach
The statement issued by the Marks and Spencer Pension Scheme noted that all affected members would be informed via letter. If you have not received this letter, you can reach out to your employer directly for confirmation.
It is the responsibility of every organisation in the UK to inform those affected by a data breach without undue delay. The organisation affected must also notify the ICO within 72 hours.
Suspicious activity on your bank statements or involving your credit or debit card could be indicators that your personal data was affected in a breach. Similarly, monitoring your email account for any suspicious emails and being wary of unsolicited texts and phone calls can also help you identify whether you were affected by a breach.
To learn more about the Marks and Spencer data breach and compensation in general, contact our team. Or, read on to find out what a customer data breach compensation payout could be made up of.
How Much Compensation Could You Receive For The Marks And Spencer Data Breach?
Generally, a data breach compensation payout can account for two types of harm. These are material damage and non-material damage.
Non-material damage is the psychological harm you suffer as a result of the breach. If you suffer from anxiety, depression, general distress, or post-traumatic stress disorder (PTSD) after a breach, you could claim compensation for this.
When solicitors value non-material damage compensation, they can refer to the Judicial College Guidelines (JCG). The JCG is a document that provides solicitors with guideline compensation brackets for different psychological illnesses. You can find some examples of these guidelines below, but please note that this table is for illustrative purposes only.
| Injury | Bracket | Notes |
|---|---|---|
| Severe Psychiatric Harm | £54,830 - £115,730 | The prognosis here is very poor, because there are severe symptoms that affect ever area of life. |
| Moderately Severe Psychiatric Harm | £19,070 - £54,830 | Even though there are still severe symptoms, the prognosis here is slightly better. |
| Moderate Psychiatric Harm | £5,860 - £19,070 | In this bracket, symptoms are expected to show significant improvement, leading to a good prognosis. |
| Less Severe Psychiatric Harm | £1,540 - £5,860 | The severity of symptoms, as well as how long they last and how they affect you, are all considered under this bracket. |
| Severe PTSD | £59,860 - £100,670 | Due to severe symptoms, there is no remaining ability to function or work at the level you would have before the trauma. |
| Moderately PTSD | £23,150 - £59,860 | With professional help, there is some chance of improvement in your symptoms, allowing for a better prognosis. |
| Moderate PTSD | £8,180 - £23,150 | Remaining symptoms are not grossly disabling, and there is a good prognosis. |
| Less Severe PTSD | £3,950 - £8,180 | Within two years there is an almost full recovery. Any remaining symptoms are not severe. |
Material Damage
Material damage is the harm you suffer financially. A data breach can have a number of negative effects on your finances, and material damage compensation could help you cover the cost of:
- Fraudulent purchases made on your credit card or debit card
- Debt accrued in your name
- Damage to your credit score
- Money withdrawn from your bank account
To learn more about the potential consequences of a data breach, contact our advisors today. Or, read on to find out how a No Win No Fee solicitor could help you should you be eligible for Marks and Spencer data breach compensation following the incident.
Make A No Win No Fee Claim For Marks And Spencer Data Breach Compensation
If you are ready to start a personal data breach claim, one of the solicitors we work with on our panel could help. Our panel solicitors offer their services on a No Win No Fee basis by providing their clients with a Conditional Fee Agreement (CFA). Under a CFA, your solicitor won’t ask for an upfront payment or ongoing payments to continue their work. Similarly, they won’t take a fee if your claim fails.
If your claim is a success, then your solicitor takes a small success fee. They take this fee directly from your compensation, though there is a legal cap in place. The legal cap puts a limit on what your solicitor can take, which helps to ensure that the larger share goes to you.
To find out if you could be eligible to work with a solicitor from our panel, contact our team of advisors. They can offer more information on the Marks and Spencer data breach, compensation payouts, and the data breach claims process. They can also evaluate your claim for free, and could potentially connect you with a solicitor. To get in touch:
- Call our advisors on 020 8050 3051
- Use the live chat feature for instant support
- Contact us online
Read More About Claiming Data Breach Compensation
For more helpful articles:
- Find out if you could claim for a pharmacy data breach with our helpful guide.
- How do GP data breach claims work? Our guide explores the GP data breach claims process.
- Find out how to sue a company for breaching data protection law with our informative article.
Or, for further resources:
Thank you for reading our guide on the Marks and Spencer data breach and compensation claims.
