Marks & Spencer has now confirmed what many feared: a serious cyberattack has exposed customer data. And things are escalating fast.
UK law firms have officially launched legal claims to help those affected get the compensation they may be owed.
If you’ve shopped with M&S, your personal information could be at risk. And you could be eligible to join a group action claim.
What happened in the M&S data breach?
The M&S data breach has been linked to a cybercriminal group known as DragonForce, which operates a ransomware-as-a-service model. This allows other hackers to use DragonForce’s ransomware tools to carry out attacks in exchange for a share of any ransom or profit.
According to the latest reports, attackers exploited a vulnerability in a third-party supplier’s system – rather than targeting M&S’s systems directly. This third-party weakness allowed them access to M&S’s broader digital infrastructure. They also used social engineering tactics, including impersonating employees and manipulating IT helpdesk staff into resetting internal passwords, giving them further access. Once inside, they deployed ransomware to encrypt data and disrupt M&S operations.
Some cybersecurity experts have observed that the tactics resemble those used by Scattered Spider (also known as Octo Tempest), a loosely affiliated group of English-speaking cybercriminals. However this remains unconfirmed.
Personal data was compromised in the M&S hack
Marks & Spencer has confirmed that customer data was accessed during the attack, potentially including:
- Names
- Email addresses
- Phone numbers
- Dates of birth
- Home addresses
- Online order histories
- Household details
M&S has emphasised that no usable payment card information or passwords were taken. In a message to affected customers, the company added that there is no current evidence that the data has been leaked or shared online.
However, it’s important to understand – just because the data hasn’t appeared online or been used yet – that doesn’t mean the threat has passed.
Cybercriminals often wait weeks or months before using or selling stolen data. It’s common for personal information to be quietly traded on the dark web. Even seemingly “low-risk” data, like names or email addresses, can still be used to:
- Target people with convincing phishing emails
- Build profiles for identity fraud
- Bypass security questions used on other websites
- Manipulate victims through social engineering
So while you may not notice anything immediately, the impact of the breach could emerge much later.
Delayed notification could strengthen lawsuits against M&S
To make matters worse, M&S was slow to confirm that customer data had been compromised. This delay may have prevented customers from taking quick, protective steps like changing passwords or monitoring accounts.
Under UK data protection law (UK GDPR), companies are required to notify affected individuals without undue delay if a breach is likely to result in a risk to their rights or freedoms. A delayed notification could strengthen your compensation claim, particularly if you’ve experienced stress, financial loss, or increased risk of harm as a result.
What should you do now?
We advise all M&S customers to stay vigilant and their monitor accounts to protect themselves from further harm. There is some advice on how to do this here.
If you think you’ve been affected by the M&S data breach, you can find out more about the group action claim by clicking the button below.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
