Retail cyberattacks follow no returns policy; boards must adapt
The week before Easter should have been routine for Marks & Spencer’s board. Finalise quarter-end reporting, sign off the Summer Food campaign, and review IT budgets ahead of the next planning cycle. Instead, with systems stalling and staff locked out of key apps, executives found themselves on a Sunday-night incident call. Overnight, ransomware notes traced to the Scattered Spider group began circulating on dark-web forums. By morning, investigators confirmed the entry point: an external IT contractor.
Within 48 hours, analysts were talking about the first billion-pound cyber event in British retail. M&S’s stock shed 14 per cent, and City traders downgraded revenue expectations by £60 million. What might have been dismissed as a one-off soon looked like the leading edge of something wider. Co-op Food admitted a separate incident that left its stock-ordering system inoperative, causing rural stores to run dry. Harrods shut down key systems after detecting "unusual activity". Dior, meanwhile, disclosed that customer data in China and South Korea had been compromised via an Asian e-commerce partner.
Each incident followed a familiar arc: initial access via a trusted partner, rapid privilege escalation, double-extortion ransom demands and, finally, public damage-control statements. Attackers even gloated to the BBC that UK retailers were now “on the blacklist” — a taunt backed up by threat-intelligence platforms tracking coordinated scans across retail domains.
The pattern reveals a structural fault line. The modern retail operating model is digitally distributed: cloud-hosted logistics, embedded fintech, outsourced developers, layered loyalty platforms. These arrangements unlock scale, but they also expand exposure. Retailers must now prepare as though incidents are inevitable, building their defences on the assumption that attempted breaches are a matter of when, not if. The focus has shifted from prevention to damage limitation, ensuring the systems and processes are in place to detect, contain and recover from attacks swiftly and transparently.
In the UK government’s latest Cyber Security Breaches Survey, 43 per cent of large businesses reported a material attack in the past year; separate Sonatype telemetry shows a 431 per cent jump in supply-chain exploits globally since 2020. Retail sits at the uncomfortable intersection of both trends.
As scrutiny turns toward third-party risk, the structural vulnerability of modern supply chains comes into sharper focus. Retailers operate through sprawling ecosystems: outsourced IT, SaaS-based logistics, embedded payment gateways, and dozens of lightly governed vendor relationships. Each represents a possible point of compromise.
Once inside, they can pivot through APIs, warehouse systems or HR databases, often undetected until ransomware detonation. Boards that treat supplier oversight as a compliance formality may find themselves blindsided by threats they technically outsourced, but reputationally own.
This isn’t a cluster of unfortunate events. It’s a tipping point. Retail is a sector where uptime is essential, consumer data is abundant, and supply chains are porous. For adversaries equipped with automation and low-cost ransomware kits, it’s a near-perfect target. The real question is no longer whether the sector is exposed. It’s whether boards are ready for an era in which a single supplier click can compromise not just operations, but trust, revenue and brand equity.
The mechanics of today’s retail breaches are depressingly consistent. Most begin not with code, but conversation. A spoofed help-desk call. A phishing message mimicking corporate tone. An exhausted contractor clicking “approve” after a barrage of multi-factor prompts. Social-engineering kits available on cybercrime forums now automate these moves, and their success rates are alarmingly high. As the UK’s National Cyber Security Centre warned in May 2025, attackers are actively impersonating IT support staff to reset passwords and hijack credentials—techniques specifically adapted to bypass standard MFA setups.
Once inside, adversaries rarely dwell as they once did in older, slower campaigns. Today’s threat actors operate at speed — exfiltrating data, encrypting systems, and issuing ransom demands in rapid succession. According to Marko Maras, CEO at Trustfull, “fraudsters have dramatically scaled up their operations thanks to AI and automation. What used to take hours or days can now be done in seconds and at a massive scale.” IBM’s Cost of a Data Breach report reinforces the urgency: organisations hit by fast-moving extortion campaigns pay, on average, 19 per cent more to recover.
Maras adds that the tools attackers use now significantly outpace many defenders’ capabilities. “The gap between the attackers’ tools and the defenders’ systems has never been wider,” he says. “And that’s what’s making these attacks feel so overwhelming.” The retail sector’s sprawling digital footprint only compounds the issue. As Jordan Avnaim, CISO at Entrust, points out, “supply chain attacks are a common tactic for cybercriminals, who often view contractors as softer targets.” With third-party platforms connected to everything from payment systems to customer databases, attackers often bypass hardened defences entirely and enter through the weakest link in a trusted network.
Hard numbers support the claim. Research by SecurityScorecard found that 97 per cent of the United States’ 100 largest retailers experienced at least one third-party breach in the last three years. Bitsight analysis of cyber-insurance claims puts supply-chain compromise behind almost a third of all retail payouts.
Yet many boards still focus narrowly on first-tier vendors, relying on outdated methods to manage risk. “Traditional vendor risk assessments — usually spreadsheet-based, annual, and focused on questionnaires — are no longer enough in 2025,” says Maras. “Threats now evolve too quickly, and third-party providers often have deep access into core systems, making them a prime target.”
He adds: “What businesses now need is continuous, real-time monitoring of vendor risk, using tools that track behavioural and digital signals — just like they would for their own networks.” These signals aren’t always visible through traditional compliance questionnaires. Contracts signed months ago can mask new vulnerabilities introduced via software updates or changed access permissions.
Garry Brown, managing director at Bondgate IT, reiterates this. "Businesses need to move toward continuous monitoring of their third-party partners, using live threat intelligence and more dynamic risk models," he says. "The best way to do this is to engage a specialist in cyber security and not rely on your typical internal IT support.
Brown also stresses the importance of moving away from assumptions of inherited security and adopting continuous verification instead. “The biggest takeaway from some of these most recent attacks is that organisations need to adopt a mindset where everything is verified constantly, not assumed because a vendor passed an assessment months ago."
Boards face a growing paradox: they outsource for speed, efficiency, and flexibility. But without real-time telemetry and clear escalation protocols, each outsourced service becomes a latent risk. Pierre Noel, Field CISO at Expel, highlights that “retail often experiences friction between the cybersecurity team and the firm's executives.” He notes that cybersecurity teams may understand vulnerabilities but struggle to communicate the business impact effectively to senior stakeholders.
“Retailers must implement a continuous cyber risk quantification programme,” he advises. “One of its outcomes is to generate and price credible incident scenarios, as well as to identify mitigating controls and their associated costs.” He adds that this type of information is “very meaningful for senior executives and the board, communicates effectively, and places the responsibility on them to determine which risks are acceptable and which are not.”
The shift is already underway. Progressive boards are exploring continuous vendor telemetry, contractual right-to-audit clauses, and the use of automated kill-switches when risk thresholds are breached. According to Sonatype, the number of software supply chain attacks in 2023 alone was twice as many as those from 2019 to 2022 combined, with over 245,000 malicious packages identified. The retail sector, with its fragmented vendor base and lean IT budgets, remains especially exposed. Anything less than proactive oversight risks more than downtime.
An interconnected issue
When a cyber-incident leaps the IT boundary, the first damage is visible: tills freeze, baskets sit abandoned, web traffic collapses. But the next casualties are harder to quantify — share-price erosion, reputational damage, and, above all, executive attention diverted from growth to survival.
IBM’s study pegs the global retail average at US $3.68 million per incident, yet that figure excludes reputational drag and lost strategic momentum. Investors have begun to price those intangibles. In the fortnight after its Easter-week outage, M&S under-performed the FTSE-350 by nine percentage points; analysts at two buy-side houses quietly trimmed their three-year earnings models, citing “persistent cyber overhang”.
Allianz’s annual Risk Barometer now ranks cyber incidents as the number-one business peril for the fifth consecutive year, ahead of supply-chain disruption and macro-economic volatility. That pecking order matters: once insurers label something the top enterprise threat, CFOs know the cost of capital will follow.
Yet despite this elevation to boardroom risk, many organisations remain trapped in legacy mindsets. Cyber is still too often framed as an IT liability — a technical issue to be owned and managed by the CISO, rather than an enterprise-wide threat to operational and financial continuity. But as the latest wave of attacks on UK retailers makes clear, those distinctions no longer hold. The blast radius of a breach extends well beyond the firewall, reaching customers, contractors, compliance teams and capital markets alike.
Legal exposure is following close behind. “The recent wave of cyber attacks on retailers reveals not only the potential vulnerability of even large corporations, but also the growing sophistication of cyber criminals,” says Ian Birdsey, partner at Clyde & Co. “Although some of these attacks have been successfully defended by retailers, they can still cause significant operational disruption to the retailer and its customers.”
Birdsey points to the underlying risk drivers: customer data, digital dependency, and the operational fragility of real-world retail environments. “The volume and richness of customer data stored by retailers with online operations is often what makes them such viable targets, susceptible to blackmail and ransom where those criminal attacks succeed,” he notes.
“In an increasingly digitised world, businesses are almost completely dependent on internet-enabled systems, from lighting and air conditioning to security surveillance and self-checkouts, plus exposures from third party supply chains, which makes those with physical store fronts just as vulnerable to infiltration by malicious actors looking to disrupt operations.”
This growing digitisation underscores why the retail sector is in such a precarious position. Their tight margins, high customer volumes, and sprawling digital operations make them lucrative — and vulnerable — targets. “Ransomware criminals have no reason to move away from this attack vector,” warns Spencer Starkey, Executive VP EMEA of SonicWall. “The toolkits available are becoming much cheaper and easier to use.”
In an environment where even physical stores rely on real-time networked systems, cyberattacks don’t just cause disruption — they induce strategic paralysis.
That interdependence raises risks that stretch into the realms of legal liability. Retailers processing sensitive personal data are subject to regulatory frameworks like the UK GDPR, which mandates the implementation of appropriate technical and organisational safeguards. A failure to secure systems, notify regulators in time, or demonstrate due diligence can trigger fines running into millions — not to mention private lawsuits from affected customers or class-action firms.
Contingency planning, Birdsey argues, is not a luxury but a legal imperative: “Robust cyber security measures and contingency plans for when disaster strikes, whether it be caused by criminals or because of an accidental system failure, are crucial to maintaining business as usual and protecting against financial losses.”
In this context, responsibility must be distributed. Abraham Ingersoll, CSO at THG Ingenuity, argues that “sole responsibility for cybersecurity is an outdated concept.” From senior leadership to store-floor staff, everyone who interacts with technology plays a role in mitigation.
“Maintaining information security is only possible if everyone across the business does their part, which at its core means anyone who touches technology must understand and own their own risks,” Ingersoll states. “A CISO is already at risk if people in their business think that basic-level actions — like clicking a dodgy link — are someone else’s problem.”
This shared responsibility makes it clear that boards must treat cybersecurity as a fundamental business risk with real legal and financial consequences. As Marko Maras of Trustfull, puts it: “Boards must treat cybersecurity as a core business risk — not just an IT concern. That starts with asking the right questions: What are our most critical digital assets? What real threats do they face? And are our current controls effectively reducing that risk?”
Answering those questions requires more than annual audits or compliance checklists. The threat landscape is dynamic, and governance must evolve in kind. Maras continues: “As attacks grow in frequency and sophistication, one of the board’s key responsibilities is making sure the tools in place are still fit for purpose.”
For many organisations, that shift in mindset remains unfinished. Yet with the regulatory tide turning and class-action readiness increasing, the fiduciary implications are no longer hypothetical. Directors who fail to engage meaningfully with cybersecurity governance — who under-resource, under-question, or over-assume — may soon find themselves accountable not just to shareholders, but to the courts.
The cyber resilience playbook
The reality of today’s cyber threat landscape is sobering. For retailers already contending with narrow margins and fragmented digital estates, cyber resilience has become less about deflection and more about adaptation — building capabilities to absorb, respond to, and recover from inevitable attacks.
Businesses must rethink legacy assumptions at every level to move from reactive firefighting to structured resilience. In a climate where supply-chain compromise, credential theft and ransomware-as-a-service are mainstream attack vectors, the organisations that cope best will be those that design for continuity, not just protection.
“Building cyber resilience is about acknowledging that your business will never be completely protected from cyber incidents,” says Darius Goodarzi, Business Director (Information Security & IT Risk) at Robert Walters London. “The cyber threat landscape is one of constant evolution, with pace of change at an all-time high. Boards must instead consider implementing pre, during and post-attack measures to enable their organisation can absorb, recover, and improve from such events.”
The first principle of resilience is layered defence. Attackers today no longer probe solely at the edge. They leap across systems, users and endpoints using techniques like credential stuffing, social engineering and lateral movement through APIs. The only effective response is multi-tiered protection, covering everything from device-level encryption to cloud configuration auditing.
“The fact that attackers may have bypassed initial security measures highlights the importance of a defence-in-depth strategy,” says Oli Venn, SE Manager at WatchGuard Technologies. “Relying on a single layer of protection is no longer sufficient. Organisations need to implement a multi-layered approach that includes robust firewalls, intrusion detection systems, endpoint security, multi-factor authentication (MFA), data encryption and 24/7 monitoring for abnormal behaviour.”
Equally essential is the readiness to act when prevention fails. “Companies should start with the presumption that they will be targeted and have a comprehensive incident response plan in place, including a consumer notification process especially when sensitive data and financial information is corrupted,” says Spencer Starkey of SonicWall. That plan, he stresses, should be “well-defined and regularly tested” — with clear roles, communication protocols and recovery steps. Without it, delays in response can escalate the cost and reputational fallout.
Testing and rehearsal are vital. “The next step of retailers’ cybersecurity strategy should be to conduct regular tabletop exercises twice a year with the senior executives of the firm,” says Pierre Noel, Field CISO EMEA at Expel. “By using realistic scenarios, these training programmes will help senior executives to understand the potential impact and likelihood of such incidents if they were to occur. This is by far the most effective approach in making senior executives aware of the reality of such incidents and convincing them to improve the security posture.”
Third-party oversight also demands a reset. Many breaches now originate not from in-house vulnerabilities, but from vendors granted deep access into logistics, payments or customer systems. Static, questionnaire-based audits are no longer fit for purpose. “What businesses now need is continuous, real-time monitoring of vendor risk, using tools that track behavioural and digital signals — just like they would for their own networks,” says Maras.
This principle of active verification extends beyond vendor access to the workplace itself. Social engineering, often overlooked as a “soft” risk, is now a primary method of intrusion. As Tim Ward, CEO and Co-Founder of ThinkCyber Security, warns: “The most effective programmes deliver timely nudges at points of risk, ensuring that security awareness becomes a continuous, practical part of the organisational culture, rather than a one-off exercise.”
That awareness must be cultural, not just technical. “To move forward, retailers must treat cybersecurity as a cultural priority, not just an IT function,” advises Vivek Dodd, CEO at Skillcast. “That means ongoing employee training, scenario planning and continuous investment in both technology and people.”
Modernising authentication is another critical front. As adversaries use deepfakes and spoofed helpdesks to trick users into sharing MFA credentials, organisations must consider stronger alternatives. “The solution is to use biometrics, like face verification,” says Andrew Bud, Founder & CEO of iProov. “Cloud-based strong liveness assurance prevents hackers using those images to break into the organisation, and is constantly evolving to stay ahead of the attackers.”
Finally, when recovery time is the difference between brand preservation and public backlash, offline preparedness becomes key. “Incident response plans must be tested, not just written,” says Richard Ford, CTO at Integrity360. “Successful recovery is dependent on the availability of backups, and how quickly they can be restored. Backups should be stored offline, as immutable backups.”
In an environment where disruption can spread across ecosystems in minutes, resilience is no longer about being unbreachable; it’s about being unbreakable. As Stephen Boyer, Founder of Bitsight, concludes, “Continuous visibility into supply chain vulnerabilities is no longer a nice-to-have, but a business-critical priority.”
Cybersecurity has quietly become a core part of the brand promise. Consumers may expect uninterrupted service, but what they value most is visible control, transparency and integrity in the face of adversity. Resilience, in this context, is more than containment; it is a signal of competence.
As Pierre Noel of Expel observes: “Today's consumer expects seamless omnichannel and confidence in service, but savvy customers are still willing to forgive even when disaster strikes, provided the comms are good and proactive steps are taken.” Those that fumble will find that there are no returns for customer confidence.
That trust dividend is now up for grabs. Boards that view cybersecurity as a reputational asset — not just an operational necessity — may find themselves on stronger ground during and in the wake of a crisis. In a retail environment defined by digital risk and tight margins, mastering cyber resilience may be the next frontier of differentiation.
For more practical insights, download a designed up version of this article here. This version includes our cybersecurity resilience checklist for retail boards — a handy guide to help you keep your cybersecurity on track.