“Catastrophic” data breach at M&S triggers collective proceedings

Published at 06 Jun 2025

Thompsons Solicitors’ Patrick McGuire explains how his firm is spearheading a collective action on behalf of Scottish victims of the Marks & Spencer hack.

UK high-street stalwart Marks & Spencer (M&S) is facing opt-in collective legal action in Scotland following the much-publicised data breach that exposed sensitive customer information and left hundreds of people fearing for their digital safety. The proceedings are being led by Patrick McGuire, a partner at Thompsons Solicitors, who says his firm has been contacted by hundreds of people in the immediate aftermath of the breach.

Describing the incident as a “catastrophic data breach”, McGuire tells ICLG News that the reaction from the Scottish public had been swift and overwhelming, prompting his firm to begin preparing legal claims within days of the news breaking. “We started to get approached that quickly by members of the public,” he explain. “People like you and I – because I am one of them – started to receive emails from Marks & Spencer notifying us that our data had been compromised. And within days, we were contacted by dozens of people asking for legal advice.”

Thompsons Solicitors has a track record in pursuing high-profile data breach cases, including claims against Arnold Clark, EasyJet, South Lanarkshire Council and Capita. The firm is already involved in other mass data breach litigation, but McGuire says the public response to the M&S breach was different in its immediacy and intensity. “From that first publication [concerning the proceedings] – two Sundays ago in the Scottish press – we’ve been approached by hundreds of Scottish people who want to pursue a claim,” he said. “This is the first time I’ve had individuals email me directly, rather than using our standard enquiry channels. They’re that concerned.”

NOT JUST AN INCONVENIENCE

McGuire was clear that the breach goes beyond the usual inconveniences associated with digital security lapses. “There’s a fundamental difference between being told that your data might have been compromised, and knowing that criminals have actually been inside the system and extracted information,” he says.

According to McGuire, M&S has confirmed that unauthorised parties accessed its servers and stole personal data, meaning this is not a case of speculative risk, but confirmed criminal activity. “The data that’s been taken is quite extensive,” he explains. “It’s not just your name and email address. It’s the kind of information that leaves individuals extremely vulnerable to phishing attacks, identity theft and financial fraud.” He goes on to reveal that some of the firm’s clients had already reported being targeted in “fairly intricate” scams that made use of the data stolen from M&S. “There are reports online – and we’ll be verifying this – that the stolen data is available for purchase on the dark web,” McGuire adds. “That’s not just an inconvenience. It causes distress, anguish, and anxiety.”

This psychological impact is central to the legal claims being made. “If somebody is incredibly stoic and says they’re not bothered, then they need not claim,” McGuire acknowledged. “But the vast majority of people are rightly distressed. And that’s exactly what the law says you can claim for: the emotional harm caused by the misuse or theft of your personal data.”

LEGAL THRESHOLDS AND RESPONSIBILITIES

The legal foundation for the claims rests on UK-wide data protection legislation, which requires data controllers and processors to take all reasonable steps to safeguard the personal information they hold. In practice, this places a high bar on companies to ensure the integrity and security of their IT systems. McGuire expands: “The law places an incredibly heavy burden on companies. If your data goes missing, the company has to prove that it did everything that could reasonably be expected of it. That’s the statutory defence. But it’s not easy to meet.” He adds that, in many previous cases, including Arnold Clark and Capita, the companies involved were unable to establish that they had implemented sufficiently robust data protection measures. “We don’t yet know if Marks & Spencer will be able to establish that defence,” he says. “But media reports already suggest that human error played a part, and if that’s the case, it points to a failure in internal systems and processes.”

WHAT VICTIMS CAN EXPECT

The claim seeks financial compensation for the emotional distress suffered by victims, although McGuire is candid about the limitations of the civil courts. “All we can do is seek financial redress for the distress our clients have suffered. That’s the remedy the law provides,” he notes. “But we also hope that behind that, companies like Marks &Spencer introduce properly robust, well-funded data protection systems.” He adds that widespread litigation could help raise corporate standards across the board: “What we hope happens more widely is that every company holding people’s data takes their responsibilities seriously. These kinds of breaches are not going away. Criminals are increasingly sophisticated, and if companies can’t meet the legal standard, they’ll be liable.”

CLASS ACTION SCRUTINY

The M&S proceedings come at a time when the efficacy of large-scale class actions is under renewed scrutiny, albeit south of the border. The long-running Merricks v MasterCard case, once hailed as a landmark for collective redress in England, has attracted criticism due to low anticipated payouts and disputes between funders and lawyers.

McGuire acknowledges the controversy but has it dampened his enthusiasm for collective redress? “No, not at all,” he counters. “And that’s because the MasterCard and [Lloyd v] Google cases were opt-out proceedings, which are a very specific form of mass litigation available in England and Wales. We don’t have that in Scotland.” He goes on to describe the English opt-out model as “odd” and potentially counterproductive: “Everyone’s included unless they choose not to be. That arguably encourages campaigners to raise claims for reasons other than compensation, which is all the civil courts can ever provide.”

By contrast, all Scottish claims are opt-in, meaning individuals must actively join the litigation. “Firms like ours would never take on a group proceedings action unless we’d spoken to the individual, assessed their case, and determined that they had an actionable legal claim,” he says. “That’s how the system works here, and we believe it’s more sustainable and just.”

The legal action is being bankrolled by a third-party funder, although McGuire is coy about the details. “It’s a Scottish funder with vast experience in supporting litigation of this kind,” he teases, adding that funding arrangements are a routine and necessary part of making large-scale legal actions viable.

A CAMPAIGNER’S VIEW

Speaking exclusively to ICLG News, Nikki Stopford, co-founder of consumer rights group Consumer Voice, adds a consumer-rights perspective: “Data breaches are no longer rare, but the impact on people can be distressing and damaging. This breach at M&S not only caused widespread disruption for UK shoppers but has also left consumers who had their personal data stolen vulnerable to scams and identity theft, something the company should be held accountable for.”

She continues: “Under the UK General Data Protection Regulation (GDPR), you have the right to claim compensation if a company has mishandled your personal data and you’ve suffered harm, such as financial loss or emotional distress. If the company won’t agree to pay you compensation when you complain you will have to go to court. In this case joining a group legal action can be an effective way to get back the compensation you’re owed.”

SIMILAR PROCEEDINGS IN ENGLAND

While collective proceedings for data breaches have not yet led to huge successes in courts in any UK jurisdiction, recent years have seen some notable cases. In 2018, British Airways was the subject of a cyberattack that compromised the personal and financial details of approximately 400,000 customers. The breach involved the theft of names, addresses and payment card information, prompting the Information Commissioner's Office to fine the airline GBP 20 million for failing to protect customer data adequately. Subsequently, collective proceedings were initiated on behalf of affected customers, with the claim settled out of court in 2021 for an undisclosed amount.

Some years later, in June 2024, and in a breach which compounded the distress of the innocent victims of the Horizon IT scandal, the Post Office inadvertently published the names and addresses of 555 former sub-postmasters associated with the scandal. The Post Office has offered compensation of up to GBP 5,000 per person, and law firm Freeths, representing the majority of the claimants, has confirmed that 348 clients have already received payments.

Meanwhile, gay dating app Grindr is facing a class action lawsuit in England over allegations that it shared sensitive user information, including HIV status, with third-party advertisers without consent. The lawsuit, filed by law firm Austen Hays, claims that the data breaches occurred between 2016 and 2020, affecting thousands of users.  

Law firm KP Law, which is initiating similar proceedings against M&S in England, did not immediately respond to ICLG News’ request for comment.