The recent cyber attack on Marks & Spencer reportedly involving a third-party payroll provider, is a sobering reminder that no retailer is immune to today’s complex digital threats, warns leading national law firm Clarke Willmott.

“There’s a temptation to view this purely as an IT failure, but that’s missing the wider point,” says Chidem Aliss, a partner in the firm’s commercial and IT team specialising in technology, who advises retail clients on cyber preparedness and regulatory risk.

“In today’s climate, with increasingly sophisticated attacks and a complex web of third-party systems, the question isn’t if a breach will occur, it’s how well you respond when it does.”

News that Thompsons Solicitors Scotland is pursing compensation claims against Marks & Spencer over the Easter weekend cyber attack exposed customers’ personal data shows just how vulnerable businesses are when sensitive information is compromised.

“We’re now seeing a shift in public and legal expectations,” added Chidem Aliss.

“Retailers must prove they took reasonable steps to prevent breaches and responded quickly. When customers or employees feel kept in the dark, reputational damage and claims follow.

“What is at stake isn’t just data, it is trust, business continuity, and brand reputation. And with customer and employee data often managed through third-party platforms, managing supplier risks is now a critical part of staying cyber safe.

“At Clarke Willmott, we’re working with retailers to put end-to-end incident response plans in place, from assessing the breach, reporting to the board and the Information Commissioner’s Office (ICO), to legally reviewing third-party contracts and drafting clear public messaging.

Clarke Willmott is a national law firm with offices in Birmingham, Bristol, Cardiff, London, Manchester, Southampton, and Taunton.