The retail sector is facing an unrelenting wave of cyberattacks, with even the biggest names unable to escape disruption. Following confirmation from the Marks & Spencer chairman that ransomware group Scattered Spider was believed to be behind the company’s recent cyberattack, it’s clear that no retailer is off-limits.
Targeting retailers is not a new phenomenon. Just this year, M&S, Co-op, Harrods, and most recently Adidas, have all been hit by significant breaches that have disrupted operations, compromised customer data, and damaged trust. This indicates a clear trend: as attackers’ methods become more sophisticated, the risks to retailers are rising. In fact, reports found that more than half of UK retailers experienced an increase in cybersecurity attacks and breaches in 2024 – signifying a worrying trajectory. Many cybersecurity incidents have been linked to vulnerabilities in enterprise software, databases, and hypervisors, including widely used SAP retail solutions.
Why the focus on retailers?
It is clear why retailers are attracting this attention from cyber criminals, and why even the most prominent household names find themselves at risk.
First, retailers hold large amounts of consumer data, from payment information to personal details. All data that, in the wrong hands, can be valuable intelligence that feeds future crime, from identity theft to phishing attacks.
Second, retailers are often easy targets. Many, including Marks and Spencer (M&S), have integrated enterprise software applications from vendors like SAP into their workflows over time. When software such as SAP NetWeaver are compromised, attackers can gain access the data of multiple applications through a single entry-point. NetWeaver was recently compromised by a zero-day attack which led SAP to issue an unscheduled patch. Several impacted systems had already been updated with the latest patches at the time of the attack.
Third, many retailers have recently embarked on digital transformation journeys. While critical to allow them to operate effectively in today’s market, these change programmes also increase the potential surface area. Like most businesses, a complete rip and replace is neither feasible nor necessarily required. Thus, retailers frequently have a mix of newer and mature infrastructure creating additional complexity when attempting to implement effective cybersecurity defences.
Finally, a number of retailers have not increased security spending to match either the rise in threat levels or their increased digital surface. The BRC report found that 57% of retailers had not increased spending to tackle the growth in online theft.
Drivers for change in retail cybersecurity
The impact of these attacks is significant. M&S has estimated that the attack on its systems could cost £300 million, with full operational recovery not expected until October or November. Meanwhile, the broader retail sector is already feeling the ripple effects. Cyber insurance premiums are expected to rise by around 10%, with brokers urging uninsured clients to act fast before further hikes.
Similarly, retail cyber attacks take direct hits on customer trust scores, with a snapshot poll of M&S customers post-breach revealing a 14% decline. Sector-wide, nearly half (47%) of organisations noted more difficulty attracting new customers after a cyber-attack, while 43% lost customers.
The consequences of such an attack could extend far beyond just one company. It took nearly seven weeks after the incident for M&S to begin accepting online orders again, and even longer to fully restore their online ordering system. If a similarly successful attack were to occur on a top-three food retailer, such as Tesco or Sainsbury’s, it could escalate into a national concern regarding food security in the UK.
Four steps to securing retail
These cyber-attacks must mark a watershed moment for retail, and the situation signals need for measurable change. Four vital lessons emerge from this incident that retail executives must urgently address:
1. Avoid overemphasis on compliance. Too many organizations, including retailers, focus on ticking regulatory boxes rather than implementing truly robust security programmes. This checkbox mentality creates a dangerous illusion of security while leaving significant gaps that determined attackers can exploit.
2. Focus on security risk management. The effectiveness of sophisticated attacks is significantly diminished when overlapping security controls are put in place. According to the recent Verizon 2025 Data Breach Investigations Report, stolen credentials remain one of the primary attack vectors in 2025. Implementing Multi-Factor-Authentication can help mitigate this threat. In addition to hardening and other controls, security solutions are available like those that proactively protected against the recent NetWeaver zero-day vulnerability at run-time with no additional action required on the part of Rimini Street clients.
3. Resolve the fundamental resource allocation challenge. Most retailers are spending far too much on low-value, low-ROI expenditures that often come with vendor support, leaving not enough funds to invest in a modern security infrastructure. By optimising costs through third-party support, they can redirect vital savings of up to 90% of total maintenance costs toward innovations such as security enhancements that address evolving threats.
4. Secure foundational systems before chasing advanced technologies. Many organizations are rushing to adopt AI and machine learning without first ensuring that their core systems are adequately protected. The investigation into the M&S breach reveals that tactics similar to those used by the “Scattered Spider” group were involved. This group is skilled in social engineering tactics for initial entry, followed by deploying ransomware and/or file encryption. Providing training for employees on social engineering tactics is essential. Organizations can also protect themselves from social engineering attacks by using hardening techniques and security solutions designed to detect and remediate ransomware attacks at the hypervisor level.
Time to improve the retail industry’s security posture
It has long been a cliché in cybersecurity to talk about when, not if, an attack successfully disrupts a business. Retailers will continue to be targeted, and the threats will keep evolving; the rewards for criminals are simply too great and, at the moment, too easily accessible.
That means defences, at both a company level and across the industry, must evolve to combat the sophistication of cybercriminal strategies. The consequences for not doing so are clear: significant financial, reputational, and operational damage, even when remedial action is taken. Retailers that improve their security posture and demonstrate how they can be trusted with personal customer data will be in a stronger place to operate effectively and securely.
Join our LinkedIn group Information Security Community!
