On 25 April 2025, British retailer Marks & Spencer was hit with a major cyber-attack that has led to a shutdown on their online orders and a reduction of certain food items in store. Since then, it has been revealed that customer personal data has been stolen, which may include contact details. In light of this, we consider the involvement of data protection regulation and the next possible steps.
Cyber Attack – Personal Data
On 13 May 2025, the M&S chief executive admitted that personal data relating to customers of M&S has been taken by the hackers involved in the cyber-attack. Customers of M&S have been contacted to inform them of the attack and advise them to reset passwords accordingly.
Personal data is defined in the UK GDPR (the UK’s data protection regulation) as ‘any information relating to an identified or identifiable natural person’. This can include direct or indirect identifiers such as a name, date of birth, someone’s location, financial information and health data.
In relation to the M&S attack, personal data of an M&S customer can include their name, date of birth, username, password, payment information and order history. However, M&S have clarified that the theft did not include payment or card details.
Reporting to the ICO
The Information Commissioner’s Office (ICO) is the authority that enforces data protection regulation like the UK GDPR and Data Protection Act 2018. Where a data breach has been suffered, it is a legal obligation to report the same to the ICO within 72 hours of becoming aware of them, unless it can be shown that a breach is unlikely to pose a risk to individuals’ rights and freedoms. In the case of M&S, due to the vast number of customers affected and potential types of personal data involved, a report to the ICO would have been necessary.
When a breach has been reported, the ICO may undertake an investigation into the impact of the breach and the circumstances that might have led to it. This can involve sharing information with other enforcement or cybercrime entities like the National Cyber Security Centre (NCSC).
In some cases, an investigation into a data breach can result in action being taken against the entity that suffered the breach – often where it is revealed that the suffered entity failed to take steps to protect the data they held. For example, in April 2025, the ICO announced they had fined a law firm £60,000 for failing to put in place appropriate measures to protect personal information after the firm had suffered a cyber attack.
M&S – Next Steps
Now it has been revealed that personal data has been stolen as part of the M&S cyber-attack, the ICO will likely investigate further. They will want to understand how the attack occurred and the impact on the customers whose personal data was stolen. The Metropolitan Police has also confirmed they are looking into the attack.
Where an entity has failed to take appropriate steps to protect the personal data of individuals, the ICO has the power to take action – either to mitigate the risk or punish the entity accordingly. Such action includes warnings, enforcement notices and even fines. In the most serious cases, the ICO can issue fines of up to £17.5 million or 4% of an entity’s total worldwide annual turnover, whichever is higher.
It remains to be seen what steps the ICO will take in relation to the M&S cyber attack. However, if the attack occurred as a result of a failure to take appropriate steps to prevent such breaches, then M&S may be subject to not only fines but also the court of public opinion, with customers voting with their feet and being uncertain about entrusting this stalwart high street brand.
At Stephens Scown, we have a team of specialist lawyers with expertise in data protection and intellectual property law. If you have any questions in relation to the same, please email us at DataProtection@stephens-scown.co.uk or call 0345 450 5558.
This article was co-written by Thomas Chartres-Moore and Joey Medway, partner and solicitor apprentice in our Intellectual Property, Data Protection and Technology team.