M&S is likely to face compensation claims that could run to hundreds of millions of pounds over hackers gaining access to customer data, lawyers have warned.
The retailer admitted today that a cyberattack it has been battling for more than three weeks had involved hackers stealing customer data including contact details, date of birth and online order history, but not usable payment or card details. It said there was no evidence data had been shared, but warned customers of the possibility they would receive emails, calls or texts falsely claiming to be from M&S.
Luke Harrison, partner at law firm Keidan Harrison, said customers could claim compensation even if they suffered no financial loss as a result of the breach. They could claim “compensation for the notional price of allowing your data to be used – the amount you would have charged M&S for giving your data to someone else”, he said.
He said M&S’s admission was likely to be leapt on by claim-farming firms using social media to build a class action lawsuit.
“There are established class action software companies that work with law firms to build a book of clients,” said Harrison. “They might have a relatively small claim – £500 or something like that – but if you have 250,000 claims of £500 each, it obviously adds up to a very significant sum.”
M&S’s loyalty app has 18 million members, who are required to reset their passwords as a result of the breach. Anyone logging into retailer’s website would also have to reset their password, M&S said today.
Compensation claims
Claims could be gathered on an “opt-in” basis through targeted social media ads promising hundreds of pounds in compensation to shoppers who had signed up to the app or ordered from M&S online.
“The clients are passengers while the law firm runs the claim and no doubt will negotiate a settlement with M&S,” said Harrison.
“I suspect what M&S may end up doing is offering voluntary compensation to avoid an action taking place, which is what sometimes happens in these cases.”
Benjamin Ross, global head of privacy at Bortstein Legal Group, pointed to 16,000 claimants joining a class action against BA over a 2018 data breach, which the company settled confidentially in 2021. The BA data breach included names, addresses and payment card details and affected 400,000 customers.
Melanie Hart, partner at Kingsley Napley, said: “I expect we will see one or two firms trying to pursue something on a class action basis [against M&S].
“The phrase that is used is ‘loss of control damages’, based on an argument there is an inherent anxiety caused by losing control of your data,
“We’re talking about low hundreds of pounds per individual.”
Read more: M&S cyberattack costing retailer £43m a week in lost sales
Harrison said M&S could also be pursued over “any direct loss, where someone’s data is used [by hackers], although you’d have to show there is a direct link”.
Cybersecurity experts have warned the data stolen from M&S could be used in personalised phishing scams. Charlotte Wilson, head of enterprise at Check Point Software, said: “This type of data is protected for a reason. It can be used to create convincing scams that feel personal and trustworthy.
“We often see a spike in phishing emails, fake delivery texts, and scam calls after breaches like this, particularly when order history or usernames are involved.”
M&S’s security measures
M&S said in its admission that it had reported the incident to relevant government authorities and law enforcement, who it was working with closely.
BA was also hit with a £20m fine by the Information Commissioner’s Office over the 2018 data breach. The ICO has the power to impose a fine equivalent to 2% of annual turnover in the preceding financial year – a sum of around £260m in M&S’s case.
“However, the ICO is unlikely to issue a fine unless M&S is actually at fault,” said Ross.
“Any investigation by the ICO would involve establishing whether or not M&S had implemented appropriate security measures as required by UK data protection law.”
M&S is the second retailer in days to admit losing customer data to hackers, after Co-op said on 2 May that cyberattackers had accessed names and contact details but not passwords, bank or credit card details, or transaction data.
No comments yet