Class action lawsuits are harming both businesses and consumers, campaigners have said, as M&S faces the first such claim over the theft of customer data by hackers.
M&S admitted last week that a cyberattack it has been battling for a month had resulted in the theft of customer data including contact details, date of birth and online order history.
The admission led to warnings from lawyers that M&S would face costly class action lawsuits, as revealed by The Grocer, even though the details stolen do not include usable payment or card details.
Data theft claims
The first such claim emerged at the weekend, with a senior partner at a personal injury law firm in Scotland telling a newspaper: “I think this will be the biggest data theft case we have ever been involved in.”
Patrick McGuire of Thompsons Solicitors told The Sunday Mail the firm would launch a class action lawsuit this week, having been contacted by M&S customers.
“Group litigation, also known as class actions, means the public can hold M&S to account for the theft of their details,” said McGuire.
“It’s legal action of this kind that gives consumers redress and shows retailers that they cannot skimp on cybersecurity.”
Seema Kennedy, executive director of the campaign Fair Civil Justice, said: “This growing shift toward US-style litigation risks undermining public trust, inflating costs, and harming the businesses that consumers depend on.
“It is disappointing to see that lawyers here have already begun recruiting claimants, noting that claimants do not need to have suffered any harm, before the Information Commissioner’s Office has had a chance to review the matter and before M&S are able to put in place their own scheme.
“With litigation funders and lawyers routinely taking a significant portion of any damages in class actions, they can drain businesses while doing little for the real victims.”
Class action lawsuits can involve lawyers and funders taking up to 80% of damages, according to Fair Civil Justice. The business-funded campaign is calling for reform of dispute resolution schemes to protect companies and consumers from “the growing threat of predatory litigation”.
McGuire told The Grocer: “There would be nothing fair about a civil justice system that sought to deny those who suffer a civil wrong access to the courts.
“We have been approached by hundreds of Scottish victims of the M&S data breach scandal who are deeply worried about their data having been leaked to cyber criminals and who have suffered distress, upset and anguish which are real and tangible harms that our data protection legislation recognises entitles them to fair redress for the harm they have suffered.
“We are pround to stand up for such victims and fight for the civil justice to which they are entitled in the civil courts if M&S will not do the right thing and pay them the compensation to which they are entitled.”
US class actions
According to US law firm Duane Morris, the number of class action data breach claims has rocketed in the country in recent years, doubling between 2022 and 2024.
US organisations paid out $154m in class action data breach lawsuits between August 2024 and February 2025 alone, according to separate analysis by UK cybersecurity company Panaseer. The company said a lawsuit against M&S “could be the start of class actions filtering into the UK business space”.
Luke Harrison, partner at law firm Keidan Harrison, told The Grocer last week that M&S’s admission was likely to be leapt on by claim-gathering firms using social media to build a class action lawsuit. “There are established class action software companies that work with law firms to build a book of clients,” said Harrison. “They might have a relatively small claim – £500 or something like that – but if you have 250,000 claims of £500 each, it obviously adds up to a very significant sum.”
Another lawyer said: “There are the ambulance-chasing members of this profession. Originally they pursued road traffic accident claims, and then it was holiday sickness claims. Now it’s data claims.”
M&S online orders have been suspended for more than three weeks as a result of the cyberattack, which is estimated to be costing the retailer £43m a week in lost sales.
No comments yet