Latest news with #CyberSecurityBreachesSurvey2025
Daily Record
4 days ago
- Business
- Daily Record
Over 1,000 Scots join class action suit against M&S after cyber hack
The news comes after we revealed the retail giant is facing a multi-million-pound case for failing to keep personal data safe. More than 1,000 Scots have joined legal action against Marks & Spencer following a major cyber attack that compromised customer data, lawyers say. The news comes after we revealed the retail giant is facing a multi-million-pound case for failing to keep personal data safe. Hackers obtained customer and staff information that could include phone numbers, home addresses, dates of birth and online ordering histories of millions of people in a cyberattack in April. In May, we told how Thompsons Solicitors launched a class action suit which could result in compensation pay-outs of several hundred pounds per customer. The action allows affected individuals to seek compensation collectively, rather than through individual claims. M&S has since admitted that the incident was the result of 'human error' and said the fallout is expected to cost the company around £300m. The Co-Op Group was also targeted at the same time in a ransomware attack – believed to be part of a wider coordinated operation by criminals. Although no passwords or financial information were taken, experts warn that this kind of data could be used to commit identity fraud or enhance phishing scams. Thompsons senior partner Patrick McGuire said the number of claimants are quickly continuing to grow with more expected to join. He said: 'The level of engagement from the public with this class action has been huge. It is the fastest growing case we have ever handled. 'The public are furious with M&S who they saw as a trusted brand while the hackers saw them as an easy target. The failure to protect our clients valuable data has led to many already being targeted by organised criminals. I expect this case to continue to grow and we will make sure our clients get proper compensation for this huge breach of trust.' Thompsons has previously represented clients in other data breach cases involving organisations such as Arnold Clark and the University of the West of Scotland. According to the UK Government's Cyber Security Breaches Survey 2025, 43% of businesses reported experiencing at least one cyberattack or breach in the past year. The prevalence of ransomware attacks has also increased significantly, with an estimated 1% of all UK businesses – roughly 19,000 firms – affected in 2025, up from less than 0.5% in 2024. Mr McGuire said the trend should serve as a warning for all companies holding personal data. A spokesperson for Marks & Spencer said it has not yet received any group litigation claims. They added: 'We wrote to our customers as soon as we could in relation to their personal data, making clear that no useable card or payment details or account passwords had been extracted during the cyber incident, and that there was no evidence that any customer data had been shared, which we continue to monitor and remains the case.' The boss of Marks & Spencer said last week that he hoped its online operations would be running 'fully' within four weeks as it continues to recover from the damaging cyber attack. Stuart Machin told the retailer's annual general meeting: 'I have previously highlighted that it would take all of June and all of July, maybe into August but definitely by July. 'Currently, half of online is open but not areas like click and collect. Within the next four weeks we are hoping for the whole of online to be fully on.'
STV News
5 days ago
- Business
- STV News
Over 1,000 join legal action against M&S after major customer data breach
Thompsons Solicitors launches class action against M&S after April's cyberattack exposed customer data Names, emails, addresses, and birth dates stolen — raising concerns over identity fraud and phishing scams M&S admits fault, estimating the breach could cost the company around £300 million Customers urged to beware of fake emails offering gifts; experts stress verifying sender details before clicking links M&S hopes to fully restore digital operations by August, following shutdowns to contain the breach More than 1,000 Scots have joined legal action against Marks & Spencer following a major cyber attack that compromised customer data, according to lawyers. Thompsons Solicitors said it is launching a class action lawsuit against the retail giant after a catastrophic data breach in April that saw personal details belonging to millions of customers stolen by cyber criminals. The action allows affected individuals to seek compensation collectively, rather than through individual claims. M&S has since admitted that the incident was the result of 'human error' and said the fallout is expected to cost the company around £300m. At the same time, the Co-Op Group was also targeted in a ransomware attack – believed to be part of a wider coordinated operation by criminals. The stolen information included names, email addresses, postal addresses, and dates of birth. Although no passwords or financial information were taken, experts warn that this kind of data could be used to commit identity fraud or enhance phishing scams. STV News Thompsons senior partner Patrick McGuire Thompsons senior partner Patrick McGuire said the legal action is still in its early 'onboarding' stages, but the number of claimants continues to grow rapidly. 'More and more people have approached us,' he told STV News. 'What that shows is how strongly Marks customers feel about that incident. They are upset, distressed and angry at the way the company treated them, the way it's been almost brushed under the carpet. 'Unless M&S can show they had absolutely nothing to do with the loss, that they could've done nothing else to prevent the loss from happening, they are liable in law to pay compensation. 'That's clearly the case in this incident; they did not do enough, they did not have robust enough systems, they are legally responsible.' Thompsons has previously represented clients in other data breach cases involving organisations such as Arnold Clark and the University of the West of Scotland. iStock Class action lawsuit filed against M&S following major data breach According to the UK Government's Cyber Security Breaches Survey 2025, 43% of businesses reported experiencing at least one cyberattack or breach in the past year. The prevalence of ransomware attacks has also increased significantly, with an estimated 1% of all UK businesses – roughly 19,000 firms – affected in 2025, up from less than 0.5% in 2024. Mr McGuire said the trend should serve as a warning for all companies holding personal data. 'The legislation is perfectly clear; the people who hold our data have a very heavy burden to protect that data. When that doesn't happen, they are just as responsible in law as the hackers for injury, upset, and distress caused by that data loss,' he said. 'Marks & Spencer legally have nowhere to hide. I hope that means they will come to the table quickly and do the right thing, and pay their loyal customers compensation to which they're entitled.' A spokesperson for Marks & Spencer said they have not yet received any group litigation claims. The company also notified regulators soon after discovering the cyber incident and continue to work closely with them. The statement read: 'We wrote to our customers as soon as we could in relation to their personal data, making clear that no useable card or payment details or account passwords had been extracted during the cyber incident, and that there was no evidence that any customer data had been shared, which we continue to monitor and remains the case.' Last week, the boss of Marks & Spencer said he hoped its online operations would be running 'fully' within four weeks as it continues to recover from the damaging cyber attack. Stuart Machin told the retailer's annual general meeting: 'I have previously highlighted that it would take all of June and all of July, maybe into August but definitely by July. 'During the incident we chose to shut things down because we didn't want the risk of things going wrong. 'Currently, half of online is open but not areas like click and collect. Within the next four weeks we are hoping for the whole of online to be fully on. 'Then our focus will be getting the Donington site back and running. We're hoping that by August we will have the vast majority of this behind us and people can see the true M&S.' M&S has sent gift cards to some customers but scammers are also sending fraudulent emails offering afternoon tea hampers if you complete a survey. Consumer experts have warned to be suspicious of emails that come out of the blue. 'Check the email address it's sent from to see if it ends in ' before clicking on any links and if you are still in doubt, contact M&S directly to verify if it's legitimate,' said Lisa Webb, a consumer law expert at Which? Dave Excell, founder of Featurespace, said: 'Scammers have a wide range of tools in their armoury to make digital communications as convincing as possible, and button generation using embedded links that take the victim to another site are one such example.' Fraudsters are using embedded links and button generation to disguise malicious websites in emails Criminals often exploit current events to make their scams appear timely and legitimate AI tools like FraudGPT and deepfakes are being used to enhance the realism and effectiveness of scams 'Financial providers must continue to invest in technology such as AI to identify and prevent fraud in real-time, enabling banks to effectively work alongside their customers to help spot scams before it's too late,' Mr Excell said. Get all the latest news from around the country Follow STV News Scan the QR code on your mobile device for all the latest news from around the country
Business News Wales
03-06-2025
- Business
- Business News Wales
Cyber Risk Isn't Just IT – It's Business Resilience
As a Silver Partner of Wales Tech Week – Wales' largest international tech summit – Cyber Innovation Hub shares why cyber isn't just a tech issue, and what every business needs to do to prepare for the next breach. 43% of UK businesses were hit last year. Would you be ready to respond? Cybersecurity isn't just an IT issue. It's a business resilience issue. And the latest headlines are proof that no one is immune. When M&S, Co-op and Harrods made front-page news following cyber breaches, the scale of the disruption raised eyebrows. But behind the headlines lies a deeper story: according to the BBC the likely entry point for the M&S breach was a third party who had access to its systems. This reinforces the message that you can outsource responsibility, but you can't outsource risk. Whether it's a retail giant or a regional SME, cyber threats are not abstract or distant. They're operational. They're financial. And they're deeply human. Cyber risk doesn't discriminate, but it does exploit the unprepared. Most people don't think about cybersecurity until it's too late. Until payment systems go down, customer data is exposed, deliveries are missed and operations grind to a halt. These aren't IT failures. They're full-scale business crises. One compromised supplier can disrupt an entire chain. And for smaller businesses, the impact can be existential. As Tash Buckley from Cranfield University noted in a recent BBC interview: 'For smaller companies, it's more of an existential issue. They don't have the kind of finances that M&S have to get the experts in.' A recent UK Government report confirms what many already fear: cyber attacks are hitting organisations of every size. According to the Cyber Security Breaches Survey 2025, just over four in ten businesses (43%) and three in ten charities (30%) reported experiencing a cyber security breach or attack in the past year. This isn't a niche problem. This is the everyday reality for UK organisations. And for many smaller firms, with tighter margins and fewer in-house experts, the stakes are even higher. Are you cyber resilient? Three ways to find out A cyber incident doesn't need to spell disaster. Microsoft reports that 98% of cyberattacks can be prevented with basic cyber hygiene. With the right habits, tools, and training in place, businesses can shut the door on the vast majority of threats. But resilience won't happen by accident. Here's where to start: 1. Build cyber into business continuity planning Cyber shouldn't sit in a silo. Your risk register should include realistic scenarios, and your business continuity plans should reflect the growing threat landscape. ● Which systems are mission-critical?● What's your recovery time objective? ● Have you tested your plan under pressure? If your team isn't clear on what happens when the systems go down, you're not ready. 2. Focus on foundational cyber hygiene Many high-profile attacks exploit basic weaknesses. Weak passwords, outdated software, or unsecured third-party access. Simple, shared standards can dramatically reduce exposure. ● Use strong, separate passwords and multi-factor authentication● Keep systems and software up to date● Back up critical data regularly ● Vet your suppliers and review access controls Don't underestimate the basics – they're your frontline defence. 3. Train everyone – not just IT Cyber resilience is a whole-organisation issue. Your comms team, ops lead, and finance manager all have roles to play when things go wrong. Make sure they: ● Know the signs of an incident● Understand how and when to escalate ● Are confident acting under pressure Cyber security isn't about knowing everything, it's about knowing what to do next. Turning readiness into action At Cyber Innovation Hub, we don't just talk about cyber resilience, we help organisations build it. Here's how we're helping teams across Wales and beyond get ahead of threats: Bitesize Cyber Courses Accessible, practical training for busy teams. From cyber hygiene to critical infrastructure security, our bitesize and hands-on courses are here to build real-world cyber resilience across your organisation. Designed for busy professionals, delivering practical skills that make an immediate impact, without disrupting schedules. Through realistic, scenario-based exercises, teams practice defending critical systems in safe, controlled environments, so they're ready to respond when it matters most. Real-World Testbed Environments When you're deploying a new system or solution, the last thing you want is to test it live and risk downtime or vulnerabilities. That's where our testbeds come in. Built for organisations and critical environments, our safe, simulated spaces let you test cyber defences, simulate real-world attacks, including AI-driven threats, and refine your response strategies before anything goes live. Whether you're validating a solution, training your team, or exploring potential blind spots, we give you the environment to stress-test your systems without the risk. Because in cybersecurity, confidence comes from what's been tested, not what's assumed. Final word: security is a shared responsibility You don't need to be a cyber expert. But you do need to know how your business will respond if the worst happens. Cybersecurity is a people issue. And people who understand the risks and practise their response are your strongest line of defence. So ask yourself: If a cyber incident hit your business tomorrow, would you be ready to respond? This November at Wales Tech Week, we'll be showcasing how we're helping businesses like yours prepare, adapt, and thrive in the face of growing cyber risks. Come and see what readiness looks like – and why it matters more than ever. Explore what's possible with Cyber Innovation Hub: See cybersecurity in action at Wales Tech Week 2025. Register for free:
