Customer data leaks and ransomware attacks
On 13 May 2025, the Chief Executive of Marks & Spencer plc (M&S), Stuart Machin, confirmed that customer personal data had been stolen during a ransomware attack on M&S over the Easter weekend in April of this year.
The focus of the criminal investigation is currently on the cyber criminal group ‘Scattered Spider’, who organised a number of cyber attacks targeting companies in the retail and finance industries.
This is not the first time a major retailer has announced that customer data has been stolen following a cyber-attack. Back in September 2024, the luxury department store and online retailer, Harvey Nichols, announced to its customers on 18 September 2024 that it had discovered on 16 September 2024 that information such as customers’ names, addresses, phone numbers, company names, and email addresses had been accessed. They confirmed in an email to their customers that the Information Commissioner’s Office (ICO) and Data Protection Commission in Ireland had been notified accordingly.
What is Personal Data?
Article 4(1) UK General Data Protection Regulation (GDPR) defines “Personal Data” as “any information relating to an identified or identifiable natural person”.
An “identifiable natural person” is also defined in Article 4(1) as one who can be “identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. In the M&S cyber-attack, stolen customer data included customers’:
- Names;
- Dates of birth;
- Usernames;
- Passwords;
- Payment information; and
- Order histories.
M&S did however clarify that customer payment or card details were not stolen.
What is the ICO’s role following a data breach?
The ICO enforces data protection regulation in the UK such as the UK GDPR and Data Protection Act 2018 (DPA 2018).
Once a Data Controller such as M&S or Harvey Nichols becomes aware that customer data has been shared, Part 3 s67(1)(a) and (b) of DPA 2018 makes it clear that the Data Controller must report it to the ICO “without undue delay” and “where feasible, not less than 72 hours after becoming aware of it”.
If the Data Controller fails to make this report within the specified timeframe, Part 3 s67(3) DPA 2018 states that their notification to the ICO must be accompanied by reasons for the delay.
If however the risk is unlikely to pose a risk to the rights and freedoms of the Data Subject, Part 3 s67(1)(a) and (b) of the Act does not apply, and a report is not necessary.
Following a report being made to the ICO by the Data Controller, the ICO will then undertake an investigation into the impact and circumstances leading to the data breach.
What are the ICO’s powers following notification of a breach?
The ICO can issue:
- Warnings;
- Enforcement Notices; and
These powers are set out in Part 6 of the Data Protection Act 2018.
An Enforcement Notice involves the Information Commissioner giving the Data Controller a notice setting out the steps that they must comply with, or steps which they must refrain from taking following a breach (Part 6, s159(1) DPA 2018).
Under Part 6 of the Data Protection Act, there are two levels of penalty for an infringement of data protection principles, known as the “Standard Maximum” and “Higher Maximum”.
As for fines, the ICO can issue fines of up to £17.5m or 4% of an entity’s total worldwide annual turnover, whichever is highest (Part 6, s157(5)(a) and (b) DPA 2018) when applying the Higher Maximum.
The Higher Maximum will be applied where there has been:
- A failure to comply with data protection principles;
- A failure to comply with the rights of an individual under Part 3 of the Data Protection Act; and
- Where there has been a transfer of data to third party countries.
The Standard Maximum imposes a fine of £8.7m or 2% total annual worldwide turnover in the proceeding financial year, whichever is higher (Part 6, s157(6)(a) and (b)). This standard is applied where there has been:
- Infringements of other provisions not falling under the Higher Maximum, such as a failure to comply with administrative requirements imposed under data protection legislation
Which penalty?
A table below sets out which standard should be applied, depending on the data protection infringement that has been committed:
| Infringement | Amount to be applied |
| UK GDPR | Amount specified in Article 83 UKGDPR, or, if the amount is not specified there, the standard maximum. |
| Part 3, sections 35,36,37,38(1),39(1),40,44,45,46,47,48,49,52,53,73,75,76,77,78 of the Data Protection Act | Higher maximum amount |
| Other Part 3 infringement | Standard amount |
| Part 4, section 86,97,88,89,90,91,93,94,100,109 | Higher maximum amount |
| Other Part 4 infringement | Standard maximum amount |
| Failure to comply with an information notice, assessment notice, enforcement notice | Higher maximum amount |
What steps has M&S taken so far?
- The ICO issued a statement on 2 May 2025 confirming that they had received a Report from Marks and Spencer plc
- The ICO confirmed that they would be working closely with the National Cyber Security Centre (NSCS) following the Report
- Customers were informed of the attack by M&S and prompted to reset their password the next time they logged in to their M&S account.
For more information
Taylor Hampton advises on all aspects of data protection law. For more information head to our website https://taylorhampton.co.uk/