Percy-nal Data and Caterpil-leaks: The M&S Cyber Attack Unwrapped

In an increasingly digital world, even British high street brands aren’t safe from the invisible threat of cyber crime. On 13 May 2025, Stuart Machin, Chief Executive of Marks & Spencer (M&S), confirmed that the company had suffered a ransomware attack over the Easter weekend. Unfortunately, that attack wasn’t just inconvenient - it resulted in the theft of customer personal data.

The incident is currently under investigation, with the cyber criminal group known as Scattered Spider in the spotlight. This group has made a name for itself by targeting large businesses in sectors like retail and finance, indeed, essentially, anywhere sensitive data is stored in bulk.

While the M&S hack has caused understandable concern, it’s not a standalone event. Just a few months earlier in September 2024, luxury department store Harvey Nichols informed its customers that it too had suffered a data breach. That announcement came after the retailer discovered, on 16 September last year, that names, email addresses, phone numbers and other personal data had been accessed. As per legal requirements, Harvey Nichols promptly notified both the UK’s Information Commissioner’s Office (ICO) and the Data Protection Commission in Ireland.

Explaning Personal Data

Under Article 4(1) of the UK General Data Protection Regulation (UK GDPR), “personal data” is defined as any information relating to an identified or identifiable natural person. This could be a name, an ID number, or even an online username — essentially, anything that could be traced back to a real human being, either directly or indirectly.

In the case of the M&S breach, the stolen data reportedly included:

• Full names

• Dates of birth

• Usernames

• Passwords

• Order histories

• Payment-related information

However, M&S has reassured the public that actual card details were not compromised. This subtle but crucial distinction may help mitigate the fallout, especially regarding financial liability, but it doesn’t lessen the seriousness of the incident.

The ICO and Its Role in a Breach

The Information Commissioner’s Office (ICO) is the UK’s independent authority for upholding information rights. When a data breach like this occurs, the ICO is one of the first ports of call. Under Part 3, Section 67 of the Data Protection Act 2018 (DPA 2018), a company that acts as a Data Controller (like M&S or Harvey Nichols) must report any data breach “without undue delay,” and ideally no later than 72 hours after becoming aware of it.

If this deadline is missed, the company must explain the delay to the ICO. However, if the breach is unlikely to result in a risk to individuals’ rights and freedoms, reporting it may not be necessary. That said, companies often err on the side of caution, particularly when consumer trust is at stake.

After receiving a report, the ICO typically launches an investigation to determine both the impact and the circumstances leading up to the breach.

What Powers Does the ICO Have?

Once the ICO steps in, it has several enforcement tools at its disposal. These include:

• Warnings

• Enforcement Notices

• Fines

Enforcement Notices are formal directives requiring the organisation to either take or avoid specific actions to remedy the situation. Fines, meanwhile, come in two tiers:

1. The Higher Maximum

This applies where there’s been a serious breach, like failure to comply with key data protection principles or transferring data unlawfully to third countries. Under this tier, fines can reach up to £17.5 million or 4% of a company’s total global turnover- whichever is higher.

2. The Standard Maximum

Applied to less severe breaches, such as failures to meet administrative obligations, this cap sits at £8.7 million or 2% of total turnover.

Here's how the level of fine is generally decided:

Infringement

• Breaches of data protection principles
• Infringements related to processing under Part 3 of DPA
• Non-compliance with ICO notices (e.g. enforcement or information notices)
• Administrative oversights

Applicable Fine Level

• Higher Maximum
• Higher or Standard Maximum depending on section
• Higher Maximum
• Standard Maximum

What Happens Next for M&S?

So far, M&S has taken several visible steps in response to the breach:

• On 2 May 2025, the ICO confirmed it had received a report from Marks & Spencer regarding the incident.

• The ICO also stated it would be working closely with the National Cyber Security Centre (NCSC) to assess and address the breach.

• M&S contacted affected customers directly and requested that they reset their account passwords as a precaution.

This kind of swift and transparent communication is not just good PR, it’s a necessity. In the wake of such attacks, customer confidence can erode quickly, and how a company responds often matters just as much as the breach itself.

Conclusion

Cyber attacks are no longer rare unfortunately. They’re part of the risk landscape for any business handling personal data. And while large companies like M&S have more resources at their disposal to manage breaches, they also have more to lose in terms of reputation, regulatory scrutiny, and customer trust.

For individuals, the takeaway is this: be vigilant. Use strong, unique passwords, enable two-factor authentication wherever possible, and be cautious of phishing emails, especially if they seem to come from a brand you trust.

For organisations, this event is yet another reminder of the importance of robust cybersecurity measures and transparent crisis management. The regulatory framework is clear, and the ICO has the tools and authority to act decisively when those standards aren’t met.

As always, if you have questions about how to protect your data - whether you're a business or an individual - professional legal advice can make all the difference.

Taylor Hampton Solicitors advises on all aspects of data protection and cybersecurity law. You can learn more by visiting: taylorhampton.co.uk