What: Marks & Spencer faces multimillion-pound class action lawsuit after cyber attack exposes customer data, leading to significant share price drop and executive compensation cuts.

Why it is important: The unprecedented scale of this breach and subsequent legal action sets a new precedent for retailer accountability in data protection, while demonstrating the severe financial and operational consequences of cyber vulnerabilities.

Marks & Spencer is confronting a significant legal challenge as Thompsons Solicitors initiates a class action lawsuit following a major cyber attack that compromised customer data. The breach, which exposed sensitive information including dates of birth, contact details, and online purchase histories, has triggered widespread concern despite M&S's assurance that no payment details or account passwords were compromised. The financial impact has been substantial, with the company's share price dropping 14% since the incident was disclosed on April 22, leading to a projected £1.1 million reduction in CEO Stuart Machin's compensation package. The incident has particularly affected his performance share plan and deferred bonus, with potential cuts of £831,000 and £233,000 respectively. Senior partner Patrick McGuire from Thompsons Solicitors anticipates this could become their largest data theft case, highlighting the growing legal implications of cyber security breaches in retail. The incident underscores the critical balance between digital innovation and security in modern retail operations.

IADS Notes: The M&S data breach in April 2025 marks a critical escalation in retail cybersecurity threats, with the Scattered Spider group disrupting £3.5 million in daily digital sales and wiping £700 million off the retailer's market value. This incident triggered a chain reaction, as both Harrods and Co-op suffered similar attacks by May 2025. The impact on consumer confidence was significant, with M&S's recommendation rates dropping from 87% to 73%, though underlying trust remained stable at 82%. The breach has transformed the cyber insurance landscape, driving a 10% increase in premiums across the UK retail sector, while highlighting how ransomware now accounts for 30% of retail security incidents, with average losses reaching £1.4 million per attack.

M&S hit with lawsuit following customer data breach