Skip to content
CybersecurityTechnology

Massive data leak at M&S sparks group legal action

Lawyer Patrick McGuire from Thompsons Solicitors details their initiative in leading a unified lawsuit for Scottish individuals targeted in the Marks & Spencer data breach.

 and  Administrator
3 min read
Scottish victims of the Marks & Spencer data breach are being represented by Thompsons Solicitors,...
Scottish victims of the Marks & Spencer data breach are being represented by Thompsons Solicitors, with Patrick McGuire leading the collective action for the affected parties.

Article Rewrite

Published on June 6, 2025

Scottish Customers Press forward in Massive Class Action Lawsuit against M&S following Data Breach

High-street heavyweight Marks & Spencer (M&S) finds itself in hot water due to a data breach that exposed sensitive customer information, leaving numerous Scottish individuals on edge about their digital security. Thompsons Solicitors is spearheading the opt-in legal action in Scotland, led by partner Patrick McGuire who has received inquiries from hundreds of affected customers.

McGuire describes the incident as a "disastrous data breach," stating that the public reaction was swift and unprecedented following the news of the breach. "Once it hit the press, we started receiving emails from Marks & Spencer notifying people that their data had been compromised," he explains. "And within days, we were contacted by dozens of individuals seeking legal advice."

Thompsons Solicitors, known for its victories in high-profile data breach cases such as Arnold Clark, EasyJet, South Lanarkshire Council, and Capita, is already working on other mass data breach litigation. However, McGuire notes that the public response to the M&S breach was unlike any other case, with individuals reaching out directly to the firm rather than using standard channels. "This is the first time I've seen individuals email me directly," he says, "They're that concerned."

MORE THAN A SIMPLE INCONVENIENCE

McGuire sheds light on the stark differences between this breach and common data security setbacks. "The issue here is that people have been notified that their data has been stolen. It's not just a speculative risk; it's a confirmed criminal act against customers," he warns.

The stolen information is more extensive than just names and email addresses, and it leaves individuals open to targeted phishing attacks, identity theft, and financial fraud, McGuire explains. Some of the firm's clients have already reported experiencing complex scams capitalizing on the stolen data. Rumors spread online suggest that the stolen information is now available for sale on the dark web. "This isn't just an inconvenience. It causes distress, anguish, and anxiety," McGuire adds.

The legal base for the claims rests on the UK's data protection legislation, which demands that data controllers and processors take all reasonable steps to safeguard the personal information in their custody. McGuire points out that this places a considerable responsibility on companies to ensure the security of their IT systems. "The law places a heavy burden on companies," he states. "If a company fails to protect the data in its care, they need to demonstrate that they took all reasonable steps to secure it. This is a high bar to reach."

EXPECted OUTCOMES

The claim seeks financial compensation for the emotional distress suffered by victims, although McGuire acknowledges the limitations of civil courts. "The only remedy the law provides is financial compensation. But we also hope that companies like M&S introduce adequate and well-funded data protection systems," he notes.

McGuire expresses hope that the widespread litigation encourages corporate responsibility in handling personal data. "We believe that if companies fail to meet legal standards, they should be held accountable."

CLASS ACTION SCRUTINY

While the effectiveness of large-scale class actions faces scrutiny in England, McGuire remains undeterred. "The controversy surrounding cases like MasterCard and Google has not dampened our enthusiasm for class actions," he counters. "We believe the Scottish opt-in system is more sustainable and fair."

Third-party funding supports the legal action, although McGuire declines to reveal the details. "It's a Scottish funder with extensive experience in supporting litigation of this nature," he adds cryptically.

Speaking exclusively to ICLG News, Nikki Stopford, co-founder of the consumer advocacy group Consumer Voice, offers a consumer perspective: "Data breaches pose a significant threat to individuals, causing distress and harm. Victims should hold companies accountable for mishandling their personal data, as required under the Data Protection Regulation."

DATA BREACHES IN ENGLAND

Recent years have seen notable cases of data breaches in England, including the 2018 British Airways cyberattack, the 2024 Post Office scandal, and the ongoing class action lawsuit against Grindr for alleged sharing of sensitive user information. The law firm KP Law plans to initiate similar proceedings against M&S in England, although they were not yet available for comment.

  1. The cybersecurity concerns raised by the M&S data breach are not just about technology, but also about the potential for Phishing attacks, identity theft, and financial fraud due to the extensive nature of the stolen data.
  2. The legal action against M&S, led by Thompsons Solicitors, is based on the UK's data protection legislation, which emphasizes the significant responsibilities of companies in safeguarding personal data, a crucial aspect of cybersecurity.

Read also:

    Related

    Latest