Live National Cyber Helpline · 0300 123 2040
Assured Cyber Protection Cyber & insurance briefing

Threats, Incidents and Claims

M&S Data Breach Compensation: What Happened and Can You Claim?

By the Assured Cyber Protection team · Updated 2026 · Reviewed

The M&S data breach put millions of shoppers’ personal details in the hands of criminals and opened the door to M&S data breach compensation claims that are still working through the system. If you shopped with Marks and Spencer online or held a Sparks account, you may have had a notification letter or email, and you are probably wondering whether you are owed anything and what you should do next. This guide explains what actually happened, what data was taken, whether a claim is realistic, and the practical steps that matter more than the compensation itself.

What happened in the M&S attack

In April 2025 Marks and Spencer was hit by a major cyberattack that disrupted online orders, knocked out some in-store contactless payments, and forced the retailer to suspend its website ordering for weeks. Investigators linked the intrusion to the hacking group known as Scattered Spider, using DragonForce ransomware, and reporting suggested the attackers had been inside M&S systems for weeks before the disruption became public.

The financial hit to M&S was severe, with the company reporting a large dent to profits and preparing a cyber insurance claim reported to be worth up to £100 million. But the part that affects ordinary customers is the data.

What data was exposed

M&S confirmed that attackers accessed personal customer data. Based on the company’s own statements, the exposed information could include:

  • Names
  • Home and email addresses
  • Phone numbers
  • Dates of birth
  • Online order histories

Crucially, M&S has said that payment card details were not taken and that account passwords were not compromised in a usable form. That lowers the risk of direct financial fraud, but it does not remove the risk. Names, contact details and dates of birth are exactly what criminals use to build convincing phishing messages and impersonation scams, which is why the practical steps below matter.

M&S reported the incident to the Information Commissioner’s Office (ICO) and worked with the National Cyber Security Centre on the response. You can read the company’s own account on the M&S cyber update page.

Can you claim M&S data breach compensation?

Possibly, but it is worth being realistic about how UK law works here. Under the UK GDPR and the Data Protection Act 2018 you can seek compensation when an organisation’s failure to protect your data causes you harm. That harm can be:

  • Material damage, meaning actual financial loss (for example money stolen through fraud that traces back to the breach), or
  • Non-material damage, meaning distress, anxiety or the time and effort you spent protecting yourself.

Several law firms have launched group action claims against M&S on a no-win, no-fee basis, and thousands of customers have registered. To join, you generally need evidence that your data was affected (typically the breach notification from M&S) and, ideally, a record of any financial loss or genuine distress you can point to.

Two honest caveats. First, being caught up in a breach does not guarantee a payout: UK courts have made clear that you usually need to show real damage or distress, not just the fact that your data was exposed. Second, no-win, no-fee claims normally take a “success fee” out of any award if you win, so read the terms before you sign up to any claims company. There is no cost to check eligibility, but the firm keeps a slice of a successful claim.

You do not have to use a claims firm at all. You can complain directly to M&S and, if you are unhappy with the response, raise it with the ICO, though the ICO does not award compensation itself.

What to actually do now

Whether or not you pursue a claim, these steps protect you against the real-world risk from this breach:

  1. Treat unexpected M&S messages with suspicion. Criminals holding your name, email and order history can send very convincing fake “we need to verify your account” emails and texts. Never click links in them; go to the M&S website directly.
  2. Change your passwords on your M&S account and anywhere you reused the same password, and turn on two-factor authentication where you can.
  3. Watch your bank statements for anything unusual and report it to your bank quickly. Even though card data was not taken, vigilance costs nothing.
  4. Keep the notification M&S sent you. If you do decide to claim later, that letter or email is the key piece of evidence.
  5. Be wary of “claim your compensation” cold calls. Scammers piggyback on real breaches. A genuine claims process will not pressure you or ask for upfront fees.

You can report suspicious messages to the National Cyber Security Centre and learn how UK data rights work on the ICO website.

The bigger lesson for businesses

For any UK business, the M&S incident is a reminder that a breach is not just a technical event, it is a legal and financial one. Notification duties, ICO scrutiny, group litigation and cyber insurance claims all follow. If you run a company that holds customer data, this is the scenario cyber cover and strong security controls are meant to soften.

For more on how these claims and duties work, see our guides on GDPR breach compensation, real-world GDPR breach examples, and the closely related Co-op data breach compensation.

Frequently asked questions

Am I entitled to M&S data breach compensation automatically? No. Being affected by the breach does not guarantee a payout. UK law generally requires you to show that the breach caused you real harm, such as financial loss or genuine distress. The clearest way to strengthen a claim is to keep your M&S notification and any evidence of loss or the steps you had to take.

How much compensation could I get from the M&S data breach? There is no fixed figure, and anyone promising a specific amount up front should be treated with caution. Awards depend on the type of data involved, the harm you suffered and how a court or settlement values it. Distress-only awards in UK data cases are typically modest, and any no-win, no-fee firm will take a success fee from what you receive.

Was my payment card stolen in the M&S breach? M&S has stated that payment card details were not taken and that passwords were not compromised in a usable form. The exposed data was more likely to include your name, contact details, date of birth and order history, which raises the risk of phishing and impersonation rather than direct card fraud.

Do I have to use a claims company to make a claim? No. You can complain directly to M&S and escalate to the ICO if you are not satisfied, although the ICO does not award compensation. Claims firms handle group actions on a no-win, no-fee basis for convenience, but they keep a success fee, so weigh that against doing it yourself.

How do I know if my data was affected? The main sign is a breach notification from M&S sent by email or letter. If you are unsure, avoid clicking links in any message claiming to be from M&S and instead check your account and contact the company through its official website.

What is the deadline to claim? Data protection claims in the UK generally must be brought within six years (five in Scotland), but group actions often have their own registration windows set by the law firms running them. If you think you have a claim, it is sensible to look into it sooner rather than later rather than leave it to the last minute.

The Threat Brief

A calm, plain-English security update. Once a week.

New scams, breach lessons, and cyber insurance changes that affect UK businesses, explained without the jargon. No alarmism, no vendor spin.

Unsubscribe anytime. We never share your address.