TL;DR
Marks and Spencer faced a major cyber attack in 2025 that affected operations and exposed some customer data. The Information Commissioner's Office is investigating. Affected customers should monitor accounts and use the formal ICO process for data concerns.
Marks and Spencer faced a major cyber attack in 2025 that affected operations and exposed some customer data. The Information Commissioner's Office is investigating, and affected customers should monitor accounts and use the formal ICO complaint process where they believe their personal information has been mishandled.
What the attack affected
The attack disrupted Marks and Spencer's online ordering, contactless payments at the till and the company's logistics network for several weeks. The company published regular updates through its corporate communications and investor relations channels.
Customer data including names, contact details and order histories was reported to have been exposed. Payment card details were not affected, according to the company's published response.
How the company responded
Marks and Spencer disabled affected systems while the investigation continued, with stores reverting to manual processing in some categories. The company worked with the National Cyber Security Centre and external security firms on incident response.
Customers received updates through email and the Marks and Spencer website. Sparks loyalty programme members continued to earn points where the payment system was operational.
ICO investigation and what it means
The Information Commissioner's Office is the UK regulator for data protection. It has powers to investigate organisations after a data breach and to impose fines of up to 4 per cent of global annual turnover under UK GDPR.
ICO investigations typically take several months to complete. The regulator publishes outcomes when an investigation concludes, including any enforcement action and the lessons learned.
What customers should do
Monitor bank and card statements regularly for any unfamiliar transactions. Sign up to free identity monitoring services such as those offered by Experian, Equifax or TransUnion to detect identity theft.
Customers concerned about their personal data can submit a Subject Access Request to Marks and Spencer to see what data the company holds. The request is free and the company has one month to respond under UK GDPR.
Wider trends in retail cyber attacks
Retail cyber attacks have risen since the pandemic shift to online shopping. The National Cyber Security Centre tracks the threat landscape and publishes guidance for businesses and consumers.
Customers can reduce personal risk by using strong unique passwords, enabling two-factor authentication, and avoiding storing payment card details with retailers where the convenience does not outweigh the risk.
Key facts
- Marks and Spencer cyber attack disrupted operations in 2025.
- Customer data exposed; payment cards not affected.
- ICO is investigating under UK GDPR.
- Fines can reach 4 per cent of global turnover.
- Free identity monitoring through Experian, Equifax, TransUnion.
FAQ
What happened in the M&S cyber attack?
The attack disrupted online ordering, contactless payments and logistics for several weeks. Customer data including names, contact details and order histories was exposed. Payment cards were not affected.
What is the ICO doing?
Investigating under UK GDPR. The ICO can impose fines of up to 4 per cent of global annual turnover and publishes outcomes when investigations conclude. Investigations typically take several months.
How do I check my personal data?
Submit a free Subject Access Request to Marks and Spencer. The company has one month to respond under UK GDPR. The request shows what personal data is held.
How can I reduce my risk?
Use strong unique passwords, enable two-factor authentication, monitor bank and card statements regularly, and sign up to free identity monitoring through Experian, Equifax or TransUnion.
