Allianz reportedly on the hook as M&S cyber claim could hit £100m

Marks and Spencer (M&S) could reportedly claim up to £100m following a severe cyber attack that caused weeks of disruption.

The retailer confirmed last week that hackers accessed limited personal customer data in an attack that first came to light on 22 April 2025.

The business said that no account passwords or payment data were compromised.

While the immediate impact on customer information may have been limited, the attack is expected to cost M&S in lost sales, with the retailer previously pausing orders via its websites and apps.

According to the Financial Times, people familiar with the matter said that the UK retailer’s cyber policy allows it to claim up to £100m and that Allianz is expected to pay at least the initial £10m.

Beazley is also potentially among the insurers exposed to losses, the report added.

Allianz declined to comment on the matter, citing confidentiality around client relationships. Beazley also declined to comment.

Next steps

In an update issued on 13 May 2025, M&S said it had taken “proactive steps” to mitigate further risks, including engaging with cyber security experts and reporting the attack to law enforcement and government agencies.

The business contacted affected customers to inform them of the data breach, although it reiterated there was “no evidence” that stolen information had been shared or misused. It also prompted users to reset their passwords as a precautionary measure.

M&S said it remained “grateful for the support” of its customers, colleagues and partners during the recovery process.

The attack comes after Howden emphasised the need for improved cyber insurance penetration in the UK, particularly among SMEs.

A November survey revealed that 52% of businesses have experienced at least one cyber attack in the past five years, resulting in £44 billion in lost revenue. The research also indicated that companies with revenues over £100m are the most targeted.