By Jason Brooks | muckypaws.com

✅ TL;DR

• Retailers are collecting too much data for basic transactions, increasing consumer risk.
• Regulatory standards like PCI-DSS protect card data but ignore broader personal data like names, addresses, and DOBs.
• Encryption isn’t a silver bullet… attackers with admin access can often decrypt data, especially in cloud environments.
• Breach disclosures tend to underplay impact… the real burden lands on consumers.
• Consumers have no digital equivalent of the FSCS … the UK’s Financial Services Compensation Scheme, which protects bank deposits if financial institutions collapse … there is no guaranteed support, restitution, or standardised redress when their personal data is breached.
• We need legislative change, stronger protections, and industry-wide recognition that consumers deserve more than just a password reset.

🔐 First, Let’s Talk About What Needs to Change

Before we dive into the headlines, let’s address a core issue that every breach … including the one at M&S, keeps exposing:

Retailers are collecting too much data… and protecting too little of it.

We’re still being asked for full dates of birth and other personal information … even just to buy everyday items online. While delivery addresses and phone numbers may be needed for fulfilment and courier communication, full dates of birth have little business staying in a customer profile once identity or age verification has been completed. And we rarely have clarity on how this data is shared with third parties … be it courier firms, CRM providers, marketing agencies, or analytics platforms. Unless it’s essential for financial or legal reasons, this level of persistent data collection poses more risk than reward.

The more data you collect, the more you store…
The more you store, the more you expose…
And the more you expose, the more damage you cause when something goes wrong.

Yet the laws that govern this haven’t kept pace.

⚖️ UK Regulation: A Step Behind the Threat Landscape

You’d think by now there’d be strict legal rules forcing companies to encrypt all personal data… but that’s not the case.

• PCI-DSS mandates strong encryption, but only for payment data like card numbers and CVV.
• UK GDPR and the Data Protection Act 2018 tell organisations to use “appropriate technical and organisational measures”… but they don’t define what that looks like for names, phone numbers, or dates of birth.
• So yes, in 2025, companies can still legally store your PII in plaintext, and sadly, many do.

Encryption at rest is often cited as a defence…
But if attackers gain access to the systems or identities that can request data, including the database and the keys, that encryption offers little protection.
Even in cloud environments, once you control the workloads and permissions, the data is often just an API call away.

Why do we continue to protect the wrong things, with outdated assumptions?

🧠 What’s Really Going On Behind the Scenes?

Marks & Spencer first announced a cyber incident over the Easter weekend. More recently, we’ve learned about the scope of what may have been accessed.

As a customer, I today received a carefully worded email saying that some personal information “may have been taken”… but not to worry, no passwords or payment data were exposed.

It sounds reassuring…
But scratch a little deeper, and things get murkier.

As always, every expert and their dog has weighed in with a theory.

“It was phishing…”
“It was misconfigured cloud storage…”
“It was an insider…”
“It was Russia, or maybe China…”

But here’s the truth:

Only the people directly involved know what really happened.

That includes the M&S teams, their consultants, law enforcement… and the threat actors themselves.

🎭 What the Public Sees vs What’s Really Happening

Customers see:

• An apology email
• Assurances of limited data exposure
• A password reset prompt

Internally, it’s more like:

• Crisis meetings
• Forensic deep dives
• Legal briefings
• Notifications to regulators
• War room operations
• Possibly, negotiations with ransomware brokers

Yes, ransomware brokers are real. Some companies quietly engage them to negotiate with threat actors, hoping to recover data or delay a leak. It’s a fragile process with no guarantees.

And while it may seem like the attackers vanish without consequence, investigations often continue quietly in the background.

🔍 Official Statements vs Reality

M&S stated that affected data may include:

• Contact details
• Date of birth
• Online order history

But independent reporting (BBC, Reuters) suggests additional fields:

• Full name
• Email address
• Phone number
• Postal address
• Purchase history
• Customer analytics data

Both statements might be technically accurate…
But the framing is very different. One protects reputation. The other informs the public.

⚠️ The Breach Doesn’t End When the News Cycle Moves On

Within 48 hours, I received scam emails spoofing M&S … offering “free gifts”, surveys, and phishing lures.

The breach is just the beginning…
The exploitation phase is where the real damage begins.

And it doesn’t stop next week. It won’t stop when the comms teams move on.
Some of us will be dealing with the fallout for months, or even years.

🗺 Final Thought

This isn’t about shaming M&S, they aren’t the first, and they won’t be the last.

But it is about asking hard questions:

• Why are we still collecting so much data for routine purchases?
• Why isn’t that data treated like the liability it is?
• Why do we still rely on outdated compliance language instead of practical protection?

Breaches are inevitable… but confusion, minimisation, and inaction don’t have to be.

And here’s the uncomfortable truth:

Once the dust settles, it’s not the company that’s left exposed.
It’s us.

We’re the ones who have to be more vigilant, deal with fraud risks, and wonder where else our data might appear.
The company’s reputation will be restored… public attention will shift elsewhere… and corporate life will move on.

But the consumer has no digital equivalent of an FSCS safety net. No automatic restitution.
No guaranteed apology that translates into compensation.

We need legislative challenge.

We need change.

And we need to acknowledge the people who’ve been impacted … not just the systems.

Meanwhile, threat actors are quietly building the most complete consumer profiles ever assembled… cross-referencing our stolen data into a single point of truth that even marketers could only dream of.

🛡 What Can Consumers Do?

Until legislation catches up, consumers can take a few protective steps:

• Be wary of unsolicited emails or calls, especially following a known breach.
• Consider enabling credit freezes or fraud alerts if available.
• Use password managers, passkeys, and avoid reusing credentials.
• Question why any company needs your full date of birth or address, and push back when they don’t.

These aren’t long-term fixes, but they can help reduce exposure while we advocate for systemic reform.

🗣️ A Call to Action

If this resonates with you … don’t let the conversation stop here.

➡️ Speak to your MP about the need for stronger digital consumer protections.
➡️ Raise concerns with the Information Commissioner’s Office (ICO), even if they don’t always act unless the headline is big enough … public pressure still counts.
➡️ Support calls for reform in industry bodies, privacy forums, and watchdog groups.

Real change only happens when enough people raise their voices. It doesn’t have to be loud … just consistent.

✉️ Template Letter to Get You Started

If you’re not sure how to begin the conversation, feel free to adapt the letter below for use with your local MP or a regulatory body like the ICO:

💬 Over to You

I’d genuinely welcome thoughts from others … professionals and consumers alike.

• Do you agree?
• Disagree?
• Have a different take on what needs to change?

Let’s start the conversation. It’s long overdue.

Thanks for reading,
Jason