Excerpt from STV News Article, Published on July 8, 2025
M&S is now at the center of a major legal battle following a significant data breach linked to the MOVEit software vulnerability. The breach, which compromised the personal information of thousands of employees, has triggered a class action lawsuit in the UK. The claim is being led by Keller Postman UK, a prominent law firm specializing in data and privacy litigation.
The breach originated not directly from M&S’s internal systems but via Zellis, a third-party payroll provider that utilized the MOVEit file transfer tool. Cybercriminal group Clop exploited vulnerabilities in the MOVEit platform to access sensitive employee information — including names, national insurance numbers, and banking details.
The data breach has also impacted other major UK firms such as the BBC and British Airways, further raising concerns about third-party risk in payroll and HR outsourcing.
Keller Postman is urging affected individuals to join the class action, citing M&S’s duty of care in ensuring the safety of employee data, even when handled by external vendors. Legal experts say this could become a landmark case for corporate accountability in outsourced data processing.
This incident not only raises questions about cybersecurity preparedness but also highlights growing pressure on organizations to ensure full compliance with data protection regulations, including the UK GDPR.
M&S has acknowledged the breach and is cooperating with relevant authorities. However, reputational and legal consequences may linger as scrutiny intensifies around vendor risk management practices.
To delve deeper into this topic, read the article on STV News.
