Stealing customer purchase histories. A new target for cybercriminals

In recent months, there have been cyberattacks against large companies in which hostile actors managed to steal customer purchase histories

Do you think you know your friends? Have you taken a look at the shopping list they take to the supermarket? We assure you that you will be surprised. One of the best ways to get to know someone in the 21st century is to learn about the products they purchase. And cybercriminals know this well. By stealing companies’ customer purchase histories, malicious actors obtain a wealth of valuable information. Why?

To impersonate companies and launch extremely sophisticated and personalized online fraud campaigns against consumers, since cybercriminals know what their victims have bought in the past and can use this information to deceive them without arousing suspicion.

Below, we explain why stealing customer purchase histories has become a target for criminal groups when launching attacks against companies in the service sector and how companies can prevent this type of incident and strengthen the security of their e-commerce sites.

1. Credential stuffing, a malicious technique that allows customer accounts to be compromised

In early June 2025, it was announced that The North Face, a retail company with annual revenues of $3 billion, had suffered a cyberattack in April known as credential stuffing. How does this malicious technique work?

• Cybercriminals obtained security credentials exposed in previous attacks that resulted in the leakage of this personal data.
• Since many consumers use the same usernames and passwords to access multiple platforms and web applications, the goal of credential stuffing is to test whether the credentials obtained can be used to access an e-commerce site.
• These login attempts can be automated, allowing criminals to make thousands of attempts.
• Suppose they manage to access user accounts on a retail company’s website. In that case, they can steal customers’ purchase histories, as well as other valuable information, such as consumers’ names, contact details, and even their delivery addresses.

In what cases are malicious actors who use credential stuffing successful? When the company they are targeting has not implemented multi-factor authentication for users to access their accounts.

Why do many businesses still not require consumers to perform two-factor authentication? This procedure slows down the purchasing process, is less convenient for users, and can affect impulse purchases.

As is always the case with cybersecurity, before implementing any security mechanism, it is essential to consider both its potential benefits and its impact on the company’s operations and business model.

However, given the increase in attacks aimed at stealing customers’ purchase histories, it is becoming increasingly advisable to adopt multi-factor authentication on e-commerce platforms.

2. Ensuring business continuity and protecting customer financial data have been the top priorities

In recent years, retail companies have made a significant financial and human effort to equip themselves with robust security structures. This process has been a logical consequence of the increase in online commerce. For example, The North Face already generates 42% of its revenue through its digital sales channels.

The two main areas on which retail companies’ cybersecurity strategies have focused are:

• Business continuity. The historic security incident suffered by Marks & Spencer in the spring of 2025 has demonstrated that a cyberattack affecting the operation of e-commerce and critical services, such as product stock control, can have costly consequences. In the case of M&S, the cost is expected to exceed £300 million.
• Consumer financial information. The most sensitive data that companies obtain from their customers is the information associated with the cards they use to make their purchases. For this reason, companies continually optimize the mechanisms for protecting this data. A good example of this is the incident suffered by The North Face, where the malicious actors were unable to obtain customers’ bank details.

When it comes to cybersecurity, it is essential to bear in mind that there is no such thing as zero risk or 100% protection. Cybersecurity strategies are designed and implemented with consideration for the threats a company faces, its business model, and the financial, technical, and human resources at its disposal.

Most companies in the service sector have focused their efforts on the two areas mentioned above because of their relevance to them and their customers. As a result, other issues, such as the threat posed by criminals stealing customers’ purchase histories, have received less attention.

However, in a landscape where digital fraud against citizens is on the rise, safeguarding consumers’ purchase histories is becoming increasingly important, as this issue extends beyond the retail sector.

Without further elaboration, last year, Ticketmaster, the world’s leading ticket sales platform, suffered an incident that resulted in unauthorized access to customer data, including tickets they had previously purchased.

3. Excellent raw material for designing 100% realistic fraud

Stealing a company’s customer purchase history allows malicious actors to design extraordinarily realistic cyber scams.

Consider, for example, a citizen who receives an email that, theoretically, comes from a company from which they have recently made a purchase. The email informs them that the company would like to thank them for their trust and offers them an exclusive discount on a product similar to one they have already purchased. To take advantage of the offer, they are redirected to a page that appears legitimate and are asked to enter their bank details to complete the purchase.

By the time the victim realizes what has happened, the money will have disappeared from their bank account and they will have no order on the way.

Criminals are becoming increasingly adept at impersonating reputable companies. Stealing customers’ purchase histories enables cybercriminals to offer personalized and credible information, leveraging their preferences and habits to avoid raising suspicions of fraud.

The example we have just outlined is just one of many possible scenarios. Criminals seek to steal the purchase history of customers of companies in the service sector with the aim of:

• Extorting companies by demanding a ransom in exchange for not making the information public.
• Selling it along with other confidential information to competitors.
• Sell it on the dark web so that other hostile actors can commit fraud.
• Use it to carry out their cyber scam campaigns, especially against consumers with high purchasing power.

As is (almost) always the case, the main objective of criminals is to monetize their malicious activities, whether at the expense of companies or consumers.

4. Stealing the purchase history of high-income customers, a very lucrative target for criminals

It is no secret that not all consumers are equal. Some customers have much greater potential value for companies… and also for criminals.

It should therefore come as no surprise that malicious actors seek to steal the purchase history of customers of companies operating in the luxury sector.

In recent weeks, companies such as Cartier and Dior have experienced security incidents involving their customer data.

The firm founded by Christian Dior, a true global fashion icon of the last century, reported in May 2025 that it had been the victim of a data breach affecting its customers in China and Korea. What did the criminals get?

• They obtained personal and contact details, including full names, phone numbers, email addresses, and postal addresses.
• They stole customers’ purchase histories.

While the theft of customer purchase histories poses a significant threat to all companies in the service sector, it is particularly serious for those serving high-income customers. Why? In these cases, customer trust is absolutely critical.

5. Reputational damage, one of the most serious and persistent consequences of cyberattacks

Attacks in which criminals manage to steal customers’ purchase histories once again underscore the damage suffered by companies that experience security incidents.

It is easy for a business to determine how much money it has invested in resolving an incident and returning to normal. It is also possible to estimate the direct economic losses resulting from incidents that undermine business continuity or lead to the payment of penalties.

But what about reputational damage? It is more intangible, but no less real or serious. Moreover, its effects can be more lasting. If a consumer is defrauded because criminals gain access to their personal data and purchase history, their relationship with the company may be irreparably damaged.

As we pointed out earlier, in a sector such as luxury goods, where consumers invest substantial amounts of money in purchasing goods and services, damage to the brand image can be significant and harm the company’s future.

No one wants their purchase history to be made public or used to deceive them; this concern is particularly acute among consumers with higher purchasing power.

6. Prevention, detection, and response: Cybersecurity services are key

How can criminals be prevented from stealing a company’s customer purchase history? Experts argue that it can be very helpful not to reuse credentials and to use password managers instead. However, these recommendations depend on the human factor and cannot be enforced. Nevertheless, companies have the decision to adopt multi-factor authentication to prevent criminals from accessing the corporate accounts of company professionals or their suppliers.

Along with this measure, it is essential that companies in the service sector continuously strengthen their security strategies through services such as:

• Continuous security audits to detect exploitable vulnerabilities in e-commerce and corporate websites, as well as signs of security incidents, as quickly as possible.
• Fraud investigation and analysis by cyber intelligence experts, with the aim of understanding how criminal groups operate, optimizing early detection mechanisms, and implementing security countermeasures to prevent them from achieving their objectives.
• Red Team exercises are designed to reliably test a company’s resilience to attacks, optimize its defensive structures, and ensure it is better prepared to deal with the most innovative malicious techniques.
• Proactive incident response. This allows cybersecurity experts to act from the outset, contain the impact of an attack, prevent its spread, limit the information that may be exposed, expel hostile actors, and restore normality.

One of the main assets of any company is its customers and the information it has about them. Knowing each consumer’s purchase history is crucial for offering them targeted commercial proposals that align with their interests and needs. Protecting this data is essential because its malicious use can result in consumer fraud that is so realistic that it can be completed and cause them financial losses.

The growing number of cyberattacks against the retail sector, the consolidation of online shopping, and the proliferation of cyber fraud attempts show that companies in the service sector must rely on cybersecurity experts to continuously automate their prevention, detection, and response mechanisms for any type of incident, especially those involving customer data.