We’ve all seen the annoying ads on social media, asking if we’ve had car finance between this date and that, promising we could be owed compensation.
Now, lawyers say, we could see similar ads asking if we’ve ordered online from M&S, or signed up to its app (as 18 million people have).
It would be the work of the same claim-farming firms leaping on M&S’s admission yesterday that customer data has been accessed by the hackers who have been crippling its operations since Good Friday.
The data stolen includes contact details, date of birth and online order history – but not useable payment card details, according to M&S.
Mixed messages
The retailer said there was “no evidence” the data had been shared – then undermined the reassurance somewhat by warning customers they may receive scam emails.
That’s because the data has of course been accessed by the hackers themselves, a group not known for respecting confidences.
This simple fact will likely be sufficient to tempt “established class action software companies that work with law firms to build a book of clients”, says Luke Harrison, partner at law firm Keidan Harrison.
The claimants would be “passengers” joining on an “opt-in” basis “while the law firm runs the claim”, says Harrison. The grounds for the claim would be “compensation for the notional price of allowing your data to be used”.
“There are the ambulance-chasing members of this profession. Originally they pursued road traffic accident claims, and then it was holiday sickness claims. Now it’s data claims.”
Or, as Kingsley Napley partner Melanie Hart puts it, “‘loss of control damages’, based on an argument there is an inherent anxiety caused by losing control of your data”.
There arguably is. Cybersecurity experts are quick to warn M&S shoppers of the increased danger. “This type of data is protected for a reason,” says Charlotte Wilson, head of enterprise at Check Point Software. “It can be used to create convincing scams that feel personal and trustworthy.”
So M&S is “sure” to receive individual claims says Hart. “Nowadays there will be a few that think they’re onto a money ticket.”
But “there is also the possibility a claims management company and/or lawyer will seek to gather together a class [action] and try to pursue something”, Hart adds.
The claim per individual would be small – potentially about £500, according to Harrison, or “low hundreds”, according to Hart.
“But if you have 250,000 claims of £500 each, it obviously adds up to a very significant sum,” says Harrison. The sum of £125m to be precise assuming Harrison’s back-of-an-envelope figures.
Biggest data breach fines recorded
It’s not as far fetched as it sounds. Among the highest bills ever in data breach class-action lawsuits, Uber paid $148m in 2022 to settle civil litigation tied to a 2016 data breach in which hackers gained access to names, email addresses, and phone numbers of more than 50 million Uber customers worldwide, and more than 600,000 drivers’ licence numbers.
A massive 2014 data breach at The Home Depot in the US, in which hackers were able to access over 50 million credit card numbers and as many email address, cost the retailer $200m in settlement payments, including $134.5m to credit card companies and banks and about $20m for consumers impacted.
Even exposing people to a risk of their data being hacked can be expensive. In 2023, Whole Foods Market settled for $300,000 in a class action claim arguing the retailer recorded employees’ voices for biometric use without proper notice, thereby exposing them to the potential of hacking and identity theft, while also breaching biometric privacy laws.
While those claims were in the US, and the breaches more serious than M&S’s, another UK lawyer warns: “There are the ambulance-chasing members of this profession. Originally they pursued road traffic accident claims, and then it was holiday sickness claims. Now it’s data claims.”
The good news is for M&S it will have insurance. It could claim as much as £100m from its cyber insurers over the attack, The FT reported today. We must hope it can. Otherwise, with social media easing the route to large numbers of opportunist claimants for those former ambulance-chasing lawyers, M&S’s estimated £43m a week in lost sales could be only be part of the cost for the retailer.
No comments yet