M&S is facing a multimillion-pound lawsuit over the theft of customer data in the cyberattack that has been crippling the retailer for a month.
M&S admitted last week that hackers had stolen customer data including contact details, date of birth and online order history, but not usable payment or card details. It said there was no evidence data had been shared, but warned customers of the possibility they would receive emails, calls or texts falsely claiming to be from M&S.
Scottish law firm Thompsons Solicitors is launching a class action claim against the retailer for exposing customers to the threat of scams by failing to protect their data.
Senior partner Patrick McGuire told The Sunday Mail the firm had been “inundated by Scots M&S clients who have been caught up in this online heist and are contacting Thompsons”.
“I think this will be the biggest data theft case we have ever been involved in,” McGuire said.
Customer data breach
It comes after The Grocer last week revealed lawyers had warned M&S would likely face a class action lawsuit over the breach. Luke Harrison, partner at law firm Keidan Harrison, said customers could claim “compensation for the notional price of allowing your data to be used – the amount you would have charged M&S for giving your data to someone else”.
“They might have a relatively small claim – £500 or something like that – but if you have 250,000 claims of £500 each, it obviously adds up to a very significant sum,” Harrison said.
Melanie Hart, partner at Kingsley Napley, said: “The phrase that is used is ‘loss of control damages’, based on an argument there is an inherent anxiety caused by losing control of your data.”
McGuire said: “Group litigation, also known as class actions, means that the public can hold M&S to account for the theft of their details.
“It’s legal action of this kind that gives consumers redress and shows retailers they cannot skimp on cybersecurity.”
Harrison said individual claimants could be gathered on an “opt-in” basis through targeted social media ads placed by a claim-gathering software company. “The clients are passengers while the law firm runs the claim and no doubt will negotiate a settlement with M&S,” said Harrison.
ICO fines
The Information Commissioner’s Office has the power to impose a fine equivalent to 2% of a company’s annual turnover if it finds measures to protect customer data were inadequate.
“However, the ICO is unlikely to issue a fine unless M&S is actually at fault,” said Benjamin Ross, global head of privacy at Bortstein Legal Group.
“Any investigation by the ICO would involve establishing whether or not M&S had implemented appropriate security measures as required by UK data protection law.”
M&S halted online orders in the first days after the attack emerged.
The crisis is costing the retailer £43m a week in lost sales, according to analysis by Bank of America Global Research, and has wiped more than £1bn off the company’s stock value.
M&S is due to announce its annual results this Wednesday. While the period covered will be up to 29 March, before the cyberattack, questions about the ongoing crisis are likely to dominate the press conference with CEO Stuart Machin.
No comments yet