The recent Marks & Spencer cyber-attack has been one of the biggest reminders in recent years of how fragile customer trust can be, and how high the stakes are when it comes to compliance, data protection, and professional communication.
In today’s hyper-connected world, where nearly every word typed or spoken can be stored, analysed, or retrieved, how we communicate with customers, even behind closed doors, has never been more important. At Simple Refunds, we believe professionalism in communication is not only good practice, but also a legal and reputational necessity.
The Rise of Subject Access Requests (SARs)
Under the General Data Protection Regulation (GDPR), any individual has the legal right to request all personal data held about them, including written and verbal records. These are known as Subject Access Requests (SARs).
This includes:
- - Emails and call transcripts
- - Internal chat logs
- - CRM notes
- - Any metadata tied to a customer’s profile
-
- DataGrail's 2024 Privacy Trends Report indicates that Data Subject Requests (DSRs) increased by 32% between 2022 and 2023, companies must assume that any comment made about a customer could one day be disclosed to them. An offhand internal remark that seems harmless could cause real embarrassment, or worse, reputational damage, if revealed.
https://www.helpnetsecurity.com/2024/05/06/data-subject-requests-dsr/?utm_source=chatgpt.com
Case Study: Marks & Spencer Cyber Attack, 2025
In April 2025, Marks & Spencer was struck by a ransomware attack carried out by the group Scattered Spider, which exploited a third-party provider. The attackers used social engineering tactics to reset internal passwords, gaining access to sensitive customer records.
Impact on Operations and Customers
- Severe disruption: Contactless payments, online orders, and Click & Collect services went offline. Staff resorted to manual workarounds such as paper inventory tracking.
- Financial fallout: M&S projected around £300 million in lost profit, with overall impact estimated at up to £440 million. Its market value dropped by more than £1 billion.
- Customer data exposed: Names, addresses, dates of birth, and order histories were compromised (though payment details and passwords were not).
-
Why It Matters for GDPR and Communication
While the technical failure was serious, M&S also faced heightened scrutiny about how it handled communications and transparency. In a GDPR context, if internal correspondence about affected customers had contained unprofessional or careless remarks, these could have been disclosable under SARs, amplifying the reputational damage.
Real-World Consequences of Unprofessional Internal Comments
The M&S case isn’t isolated. Across industries, private communications have spilled into the public domain:
|
Company
|
Incident
|
Outcome
|
|
Amazon UK
|
Internal chat logs mocking customer accents
|
Public apology, staff retraining
|
|
British Airways
|
Mishandling GDPR SARs and poor documentation
|
£20 million fine
|
|
T-Mobile
|
Leaked internal memos with unprofessional tone
|
Severe backlash on social media
|
These examples make one thing clear: every recorded interaction matters.
Why This Matters in 2025 and Beyond
We’re living in an era where:
- - Privacy is a priority: Regulators are stricter than ever.
- - Transparency is a currency: Customers expect accountability.
- - AI and automation amplify risks: More systems mean more ways data, and tone, can be mishandled.
- Companies that take responsibility, train their teams, and bake privacy into every interaction will not only avoid fines and fallout but also build stronger, trust-based relationships.
How Simple Refunds Protects Customer Data
At Simple Refunds, we’ve built GDPR compliance and respectful communication into the heart of our business:
- - We are fully GDPR compliant and registered with the ICO
- - All customer communications are encrypted at rest during a refund.
- - Fourteen days after a refund has been satisfactorily completed, files are hashed for security.
- - Our team is trained to ensure every written and verbal interaction remains professional, respectful, and transparent.
- From the first contact to the final refund, every interaction reflects our people-first approach.
Final Thoughts
The M&S cyber-attack demonstrates how quickly trust can unravel when systems fail and data is exposed. But the lesson is bigger than cybersecurity alone:
- Every note. Every email. Every word matters.
- Professionalism is no longer optional; it’s a compliance obligation.
- Data protection and communication standards must go hand in hand.
At Simple Refunds, we’re proud to lead by example, combining best-in-class GDPR compliance with a respect-driven communication culture. Because protecting customers isn’t just about systems, it’s about integrity.
BOOK A DEMO
.png?width=352&name=Untitled%20design%20(15).png)
.png)
29 September 2025
.png)
.png)