tuthelens/Depositphotos.com
July 22, 2025
Are Retailers Doing Enough To Prevent Cyberattacks?
The acceleration of cyberattacks from Marks & Spencer to Harrods and Victoria’s Secret in recent months have led to calls for retailers to step up their investments in cybersecurity and digital resilience.
Retailers remain prime targets due to their online presence and the high volume of transactions involving billions of customers’ sensitive data. Retailers catering to high-end clients are seen as particularly vulnerable. Other retailers recently involved in attacks include Adidas, Cartier, Co-Op, Dior, and The North Face.
Risks to retailers include shutting down systems during breaches, with both Marks & Spencer and Victoria’s Secret temporarily taking down their websites in response to such attacks. United Natural Foods — North America’s largest publicly-held wholesale food distributor and the main distributor for Whole Foods — said last week that a breach, discovered June 6, shut down its systems for three weeks, leading to $350 million to $400 million in lost sales for the year.
Retailers May Downplay Security Breaches Out of Caution
Retailers also risk stock price hits and regulatory fines as a result of data breaches.
Firms hit by breaches have further been found to underreport incidents to avoid bad press, ultimately risking customer trust. A survey from Vercara found two-thirds of consumers would not trust a company following a data breach.
James Maude — field CTO at BeyondTrust, which develops intelligent identity and access security solutions — believes creating seamless online purchase platforms could be opening doors for cyber attackers. Maude told Security Magazine, “In general, the retail sector can find themselves caught in tradeoffs where their focus is on making it as easy as possible to buy an item not making it as secure as possible.”
He noted that requiring multi-factor authentication (MFA) for online consumers may make them hesitant to make an impulse purchase. Maude added, “Similarly, rewards points and loyalty schemes have become a frequent target for attack as attackers launch credential stuffing campaigns fueled by other breaches to access and cash out rewards and points into untraceable gift cards or goods.”
Beyond prioritizing MFA, industry experts are increasingly recommending zero-trust architecture, which requires continuous verification of all user identities and device integrity, significantly reducing the risk of unauthorized access. The latest breaches targeted third-party relationships within a supply chain.
Majority of Breaches Tied to Human Error, But Cybersecurity Will Become Even More of a Necessity for Retailers Moving Forward
VikingClouds found 95% of data breaches were tied to human error, often linked to inadequate cybersecurity training. VikingClouds said in a blog entry, “The high turnover of retail employees means more people with limited awareness of internal cyber policies.”
In a co-penned article for Information Security Buzz, Dave McGrail, head of business consultancy at Xalient and Chris Woods, founder and CEO at CyberQ Group, advised investing in precautionary incident response and recovery plans — as well as in AI-driven threat intelligence. The two wrote, “Threats to retailers will only intensify with more ransomware attacks, combined with the security implications of new technologies like AI and machine learning, and the challenges of securing the supply chain.”
Greater collaboration among industry partners and law enforcement is also being called for. Co-op is teaming up with U.K. social impact business The Hacking Games to encourage teenagers to take up cybersecurity careers, rather than be drawn into hacking. The U.K.-based c-store chain cited data showing that 69% of European teenagers have committed some form of cybercrime or online offense.
Discussion Questions
What minimum defensive steps should retailers be taking to minimize financial losses and reputational damage from cyberattacks?
Are the tradeoffs justified in prioritizing the shoppers’ online experience over multi-factor authentication requirements and other security measures that are being called for?
Poll
Loading …BrainTrust
Shannon Wu-Lebron
VP of Industry Strategy & Growth, Neudesic
Mark Ryski
Founder, CEO & Author, HeadCount Corporation
Lisa Goller
B2B Content Strategist
Recent Discussions
More Discussions
Has Maverik Made a Mistake on its Kum & Go Rebrand?
Maverik has completed its rebranding of Kum & Go, folding the stores into its own banner…Is Guilt Messaging the Path To Influencing Consumer Behavior?
A university study has found that telling consumers their returned items will be “kept out of…How Great of an Advantage Do Low-Price Leaders Like Walmart and Aldi Have?
Low-price leaders like Aldi and Walmart, among others, are vying for an increasingly savvy consumer. How…
Aside from proper cyber protection, retailers should have a very clear plan for disruption in the case of attack. It is clear that some retailers attacked recently did not have this, and it caused huge issues. The other thing that’s helpful is insurance. M&S had some level of insurance against disruption and it will be able to recoup some (but not all) of its losses. But, of course, this is also a government issue as cyber attacks are a crime to be prevented and prosecuted.
I am making a good salary from home $1400-$2400/week , which is amazing, under a year back I was jobless in a horrible economy. I thank God every day I was blessed with these instructions and now it’s my duty to pay it forward and share it with Everyone,
Here is what I do…… https://rb.gy/y4j09o
Altho this is certainly a retail issue, unfortunately very few of us who comment on here have the technical knowledge to answer a question like “what steps should be taken?” (other than to offer up bromides like “more!” or “all of them”).
Unfortunately, too, these tend to be all or nothing catastrophes, the very kind of thing that’s hard to plan for, and – since damage tends to be episodic – the prevention of which is something cost cutters are likely to skimp on.
They could start by adopting a system like SKADI About Us | SKADI Cyber Defense – SKADI Cyber Defense – A system that learns on the job and then thinks about and creates new protections on the fly. It is as close to autonmous/agentic AI cybersecurity as there is on the market. And, they are 1/3 the price, of the BIG CYBER guys whose pricing forces some retail execs to say “F-it” and take short cuts, or ignore the potential threat waterfall.
Cybercrime is a scourge—not just for retailers, but for every sector of society. Today alone, Microsoft announced it’s dealing with a massive cyberattack. Hospitals, schools, and governments are also frequent targets. The truth is, no retailer—regardless of size—can fully defend against sophisticated, state-sponsored threat actors. That’s why governments need to play a much bigger role in protecting both businesses and citizens. Yes, cybersecurity training matters. But even well-trained employees can be tricked into making one wrong click that triggers a devastating breach. And while multi-factor authentication helps, it’s not a perfect solution either—especially when ease of purchase is a competitive priority. In the meantime, retailers must do what they can: keep systems updated, apply security patches, invest in training, and build strong incident response plans. And even then, you have to be prepared—because getting attacked isn’t a matter of if, it’s when.
When retailers skip multi-factor authentication for a frictionless online experience, it can appear that they prioritize revenue over trust. One cybersecurity breach can promptly erode trust, pushing loyal customers to the retailer’s rivals.
Yes, we seem to have said the same thing.
Retailers not only face cyberattacks in their own environment, they are also vulnerable to security breaches on technology vendors they rely on, namely SaaS software vendors, data platform providers.
Supply chain and supply chain tech is a high risk area that is being targeted more frequently in recent years. It warrants more attention.
AI is a double edged sword. On one hand, AI can help automate security processes in user access review, risk detection/prevention, alerts and responses. On the other hand, AI enabled copilots and agents can expose more sensitive data to bad actors, if not designed and architected with security/privacy and compliance in mind.
Bottom line, there doesn’t seem to be enough incentive or punitive damage to retailers in the long run to prioritize cybersecurity above other initiatives.
No, they’re not. Retailers who blame “employee training gaps” are avoiding the more complex truth that their security architecture doesn’t account for human fallibility and is designed around it. Retailers need to design systems that assume compromise will happen. Integrate security into customer experience design from the outset, not as an afterthought. Make supply chain security transparency a key differentiator in procurement. Vendors who can’t demonstrate robust security shouldn’t be part of your ecosystem (consider the impact on United Natural Foods and its retail customers). Don’t treat cybersecurity as a cost center; it’s part of your organizational resiliency.
This is a massive miss and blind spot for many retailers, cynical, and short-sighted, by those who downplay having been hacked. Like it or not, retail is becoming a technology business, and if you can’t protect your tech and your consumers, the savvy ones will ditch you. I read this morning that 80% of consumers blame the BRAND for delivery mishaps, despite it being UPS, DHL and FEDEX’s fault. Bad delivery = going to another retailer; inadequate privacy protection = going to another retailer. Modern retail is built on the pillars of supply chain and tech excellence. And consumers know it, even if they don’t “know” it.