Bingham Long
No win, no feeFree eligibility check

Marks & Spencer Cyber-Attack: Join Our No Win No Fee Claim

In a major cyber-attack on Marks & Spencer's systems, the retailer was forced to suspend many online services, disrupt Click & Collect and change in-store payment processes while it worked with specialist cyber teams and UK authorities. For weeks, customers faced issues with online orders, contactless payments and access to parts of the website and app while M&S gradually restored services.

The company has since confirmed that some personal customer data was taken in the attack – including contact details, dates of birth and online order history – but has stressed that no useable card or payment details and no account passwords were exposed. If your information was held in M&S systems, you may have been affected. Our data breach team is investigating potential compensation claims on a no win, no fee basis.

Learn more
Check my eligibility

Bingham Long • Taking action is what we do.

What happened in the Marks & Spencer cyber-attack?

In spring 2025, Marks & Spencer – one of the UK's best-known retailers – confirmed a serious cyber incident which disrupted both its online and in-store operations. The attack, believed to involve sophisticated social engineering through a third-party contractor, forced M&S to pause many online clothing and home orders, limit Click & Collect and temporarily adjust contactless payments while systems were secured and rebuilt.

The disruption lasted for weeks and has been described as one of the most damaging cyber-attacks to hit a UK retailer, with reports of hundreds of millions of pounds in lost sales and operating profit. M&S has now confirmed that some customer data – including contact details, dates of birth and online order history – was accessed, but has stressed that no payment card details or account passwords were exposed and that there is currently no evidence that the stolen data has been shared.

Who might be affected? Customers whose details were held in M&S systems during the 2025 cyber incident – for example online shoppers, Sparks members and people who received digital receipts or marketing emails.

What type of data? According to M&S, the incident may involve contact details, dates of birth and online order history. Importantly, they have confirmed that no useable payment card data or account passwords were taken.

Why it matters: Even without card details, access to names, contact details, dates of birth and shopping patterns can increase the risk of targeted phishing, scams, identity fraud and ongoing distress – especially where customers were left without clear information for a period of time.

Who can join the claim?

  • Customers who shopped with Marks & Spencer in recent years – particularly those who placed online clothing, home or food orders, used the M&S app or registered a Sparks account around the time of the 2025 cyber-attack.
  • People contacted by M&S (for example by email, letter or SMS) about the cyber incident, a possible data breach or changes to their account or order history.
  • Customers who have suffered distress, anxiety or inconvenience because their personal information may have been exposed, or because they were unable to access key services or complete essential purchases during the disruption.
  • Anyone who has noticed suspicious activity that may be linked to M&S data – for example scam emails or texts referencing M&S orders, or attempts to impersonate the retailer or its delivery partners.

How our no win no fee works

We charge nothing upfront for investigating your potential Marks & Spencer data breach claim. If the claim is not successful, you pay nothing for our legal fees. If the case succeeds, our success fee is taken from the compensation recovered or as set out in our retainer/DBA terms, which are clearly explained and sent to you for e-signature before you commit.

What evidence should I collect?+

Keep copies of any emails, letters or texts from Marks & Spencer about the cyber incident, service disruption or a possible data breach. Save screenshots of suspicious emails or messages pretending to be from M&S, your bank or delivery companies that reference recent orders or account details. Bank statements showing unusual transactions, credit-monitoring alerts and notes of scam calls or texts can all help us assess your claim.

What happens after I submit my details?+

First, we carry out a quick eligibility check based on your shopping history with M&S, any notifications you've received and the impact on you. If you appear to be in scope, we'll send no win, no fee documents for you to review and sign electronically. Once you decide to proceed, our team will begin building your claim, gather further evidence where appropriate and keep you updated as any group litigation or settlement discussions develop.

This page is for information only and does not constitute legal advice. A solicitor–client relationship only begins once you have signed our retainer documents.

Latest coverage & breach updates

Stay alert for scams using your Marks & Spencer account or shopping information. Be cautious of unexpected calls, emails or texts claiming to be from M&S, your bank or a delivery company and asking for card details, passwords or one-time security codes. Always check messages against official channels and monitor your accounts for suspicious activity.

Privacy Policy

We collect your contact details and claim information solely to assess your eligibility and, if instructed, to pursue your claim. Data is stored securely and may be shared with experts, courts, and opponents as necessary. You can request access or deletion at any time. See full policy on our website.

M&S Data Breach Claim | No Win No Fee | Bingham Long