Cyberattacks against the retail sector: Economic losses, reputational damage, and penalties
Table of Contents
In recent months, cyberattacks against the retail sector have damaged the finances and reputation of large companies
We have already normalized cyberattacks on Black Friday and Christmas, which target e-commerce, but cyberattacks against the retail sector occur continuously throughout the year and are on the rise. Why?
Causes behind cyberattacks against the retail sector
The socioeconomic weight of the sector
Retail companies play a critical role in generating employment and wealth in all Western economies. Without going any further, a study found that two of the five companies that contribute most to Spain’s GDP are retail companies.
Level of cyber exposure
This is a sector that has digitized at a rapid pace and, as a result, has a high level of cyber exposure, particularly due to the importance of online commerce. Added to this is its extensive technological infrastructure, which covers logistics, order management, supply to physical stores, and payments.
Customer data
Cyberattacks against the retail sector seek to exploit one of these companies’ main assets: their customer data. This is done either to extort money from the companies themselves or to sell the data and facilitate online fraud against citizens and businesses.
Company size and cybersecurity posture
The retail sector is not made up solely of large multinationals that can allocate significant budgets to strengthen their security posture. Thousands of SMEs have e-commerce or need their IT systems to carry out their daily activities, yet they have not yet placed cybersecurity at the center of their strategies.
Less stringent regulations than in other sectors
Unlike other sectors, such as banking and food, retail is not considered a critical sector, and its legal obligations in terms of cybersecurity are less stringent. Even so, it is important to bear in mind that many companies combine the sale of food products with other types of goods (clothing, technology, etc.), which means they may be subject to regulations such as the future Cybersecurity Law.
Below, we provide an overview of cyberattacks against the retail sector, highlighting the importance of strengthening companies’ cybersecurity strategies to avoid millions in losses, incalculable damage to their reputation, and heavy penalties from data protection authorities.
10 heart-stopping days in London: Three cyberattacks against the retail sector that put large multinationals in a tight spot
On April 22, Marks & Spencer (M&S), the largest British company in the textile sector, which also sells food and household products, reported that it had suffered a security incident affecting contactless payments and in-store pickups of online orders. The incident escalated, affecting the stores’ stock control systems and paralyzing orders via the website and mobile app.
On April 30, another cyberattack against the retail sector that has shaken the British manufacturing industry was made public: the one suffered by the multinational Co-op. The incident, which is also believed to have occurred on April 22, resulted in unauthorized access to corporate information and personal data of 20 million customers.
A day later, on May 1, Harrods, a chain of luxury department stores, reported that it had suffered unauthorized attempts to access its systems. To contain the cyberattack, Harrods decided to restrict internet access in its physical stores, but assured that customers could continue shopping as normal both online and in person.
Thus, in just a few days, three of the UK’s largest retail companies had to deal with serious security incidents. However, the attack suffered by M&S was the worst, as it undermined its business continuity by affecting product stock and, above all, consumers’ ability to make purchases.
How are cyberattacks carried out against the retail sector?
Behind these security incidents are large Ransomware-as-a-Service groups such as DragonForce and Scattered Spider.
Criminal groups sell packages to launch social engineering campaigns against employees of the companies they want to attack. This allows malicious actors to gain illegitimate access to corporate systems.
It is important to note that groups with significant resources and expertise can refine techniques such as MFA (multi-factor authentication) fatigue and SIM swapping.
In addition, they also provide attackers with the ransomware they need to encrypt files hosted on as many servers as possible.
In fact, Ransomware-as-a-Service providers offer their affiliates pages to negotiate with companies for the payment of a ransom in exchange for providing them with a decryptor and not making the accessed data public.
In return, these criminal groups take between 20 and 30% of the money obtained by the affiliated malicious actors.
The importance of paying attention to supplier security
While many companies have invested in building robust cybersecurity structures, not enough attention has been paid to the security posture of suppliers when hiring them or giving them access to corporate or customer data.
Cybercriminals are aware of this reality, and given the enormous complexity of directly attacking the systems of large companies, they seek to achieve their objectives through a third party.
The serious consequences of cyberattacks against the retail sector
What are companies that suffer cyberattacks against the retail sector exposed to?
- Leakage of corporate information that could end up in the hands of competitors, damaging their competitiveness.
- Exfiltration of customer data and significant damage to customer relationships and market reputation. If this information is also used to launch online fraud campaigns against consumers, the damage can be even greater.
- Penalties for violating data protection regulations. Breaches that result in the publication of personal data of customers or employees often lead to heavy fines imposed by data protection authorities. The GDPR, the main European regulation on this matter, requires companies to have the necessary technical and organizational measures in place to ensure an adequate level of personal data protection. Investigations into some security incidents have revealed that these measures were not sufficiently robust. Fines can be as high as €20 million or 4% of the company’s annual turnover.
- Millions in losses due to problems with basic operations and falling sales. The M&S incident is a case in point. It is estimated that the company is losing millions of pounds a day, that the incident will not be fully resolved until July, and that lost profits will be around £300 million. Why are the economic damages so high? Multiple systems remain down, online sales are still at a standstill, and physical stores have suffered from supply shortages, leading to a significant reduction in sales and, therefore, revenue.
How to combat cyberattacks against the retail sector
Although we have not explicitly mentioned it as a consequence, it is easy to conclude that cyberattacks against the retail sector can trigger serious crises in the companies that suffer them.
In recent weeks, panic has spread at M&S, with internal sources speaking of chaos, paranoia, and workers sleeping in offices to try to restore normality. What’s more, it has been reported in the media that there was no plan in place to deal with cyberattacks against the retail sector, nor was there a strategy to ensure business continuity.
How can this be? Many companies, including large ones, have not effectively assessed the risks and threats they face and do not have a cybersecurity strategy tailored to them.
Thus, to prevent cyberattacks against the retail sector, limit the impact of security incidents, and safeguard business continuity, it is essential to have advanced cybersecurity services such as:
Continuous security audits
Security audits detect vulnerabilities in the technological infrastructure that malicious actors could exploit.
Vulnerability management
Vulnerability management is critical to mitigating weaknesses found based on their level of criticality, the likelihood of them being successfully exploited, and their impact on the business.
Social engineering testing
As mentioned above, the first phase of cyberattacks against the retail sector consists of social engineering campaigns to deceive company professionals and gain entry into corporate systems and networks. It is, therefore, extremely important to subject staff to social engineering tests to assess their ability to deal with these threats and train them to avoid falling victim to increasingly sophisticated scams.
Ransomware Simulations by a Red Team
A Red Team service can be used to assess a company’s resilience to ransomware attacks, identify areas for improvement, and train the professionals responsible for defending the organization.
Proactive incident response services
In the event of a security incident, it is essential to be able to detect it and articulate a response strategy as quickly as possible. Incident response services are therefore critical for containing malicious activity, expelling hostile actors as soon as possible, and restoring normality with maximum speed to prevent the consequences of the incident from affecting business continuity.
In short, 2025 is reminding us that cyberattacks against the retail sector are becoming increasingly numerous, complex, and dangerous. It is, therefore, essential that retail-focused companies strengthen their security posture, increase their cyber resilience to attacks, and be able to avoid millions in losses, reputational damage, and financial penalties.