PRINTABLE VERSION HERE 

The cyberspace is an increasingly interlinked web where risks are exacerbated by rising geopolitical tensions, speedy adoption of emerging technologies, and regulatory requirements. The growing elaborateness of value chains combined with the lack of oversight into the security levels of suppliers has been identified as the leading cybersecurity risk for organisations by the World Economic Forum’s Global Cybersecurity Outlook 2025. The report also concluded that the widening cyber skills gap is fuelling increased cyber inequity among industries and scales of organisations.

The retail industry accounted for about 24% of all cybersecurity attacks in 2020[1] and faced more data breaches than any other industry.[2] As of 2024, ransomware attacks on the retail industry have increased by 22%[3]. The rise of e-commerce has created new opportunities for cybercriminals to target retailers given the wealth of payment information as well as personally identifying characteristics that retailers possess. As the harnessing of data-driven technologies by retailers grows, cybercriminals have a larger target surface area to attack.

Several brands and department stores have been targeted in recent years. In March 2025, IADS member El Corte Inglés faced a data breach involving sensitive information, including identification and contact details, as well as credit card numbers used for purchases. More recently, in April 2025, Marks & Spencer was cyberattacked by teenage hacker gang Scattered Spider that led to a GBP 700 million loss in valuation and an estimated impact of GBP 300 million on its profit followed by Harrods and the Co-op. In mid-July, Louis Vuitton reported a data breach of over 400,000 customers’ personal information that triggered an investigation by Hong Kong’s privacy watchdog. According to Grant Thorton, less than half retail businesses have a cyber-strategy in place which is below the global average (52%) for all businesses.[4] Given that large retailers collect immense amounts of data from their customers, cyberattacks pose operational and reputational risks.

[1] 2020 Trustwave Global Security Report

[2] 6 ways hackers are targeting retail businesses

[3] Europe Retail Threat Landscape 2024

[4] Cyber security concerns in the retail sector

The growing complexity of retail value chain cybersecurity

Large retailers, including department stores, have multi-tiered value chains reflecting an end-to-end sequence of activities that create dependencies among hundreds of third-party vendors, software modules, and cloud services. This creates an expanding attack surface for cyber criminals with each node forming potential entry points for attackers, especially when visibility into suppliers’ security practices is limited. As organisations adopt new technologies, add digital assets, integrate cloud services, and connect with more third-party vendors, they generate a larger digital footprint making it harder to secure each access point. As a result, organisations face more vulnerabilities with greater complexity and lower visibility over a more dispersed value chain requiring higher security costs.

Smaller suppliers often lack resources to meet robust cybersecurity standards, creating systemic weaknesses. Only 35% of Small and Medium Enterprises (SMEs) report sufficient cyber resilience compared to larger firms.[5] Typically, with smaller budgets and fewer IT staff, most SMEs have limited resources to invest in advanced cybersecurity tools or hire dedicated security experts. Due to this, they often rely on outdated technology or consumer-grade security solutions which are less effective against modern threats. Cybersecurity awareness and training of personnel may be lower due to the common misconception that SMEs are ‘too small to target’. However, the combination of lower security and access to valuable data makes SMEs an attractive target for attackers as an entry point to infiltrate bigger organisations.

Regulatory challenges are increasing value chain cybersecurity risks because organisations must navigate a patchwork of overlapping and evolving regulations across different regions, making compliance complex and inconsistent. At the same time, many companies lack clear visibility into their multi-tier supplier networks, especially with smaller vendors and open-source software, leading to hidden vulnerabilities. These issues are compounded by inconsistent security standards among suppliers, rising compliance costs, and the operational risk of relying on critical third parties, all of which make it harder to detect, prevent, and respond to cyber threats across the value chain. Enforcing consistent security standards across jurisdictions and industries remains difficult. Software value chains are particularly opaque, with vulnerabilities lurking in sub-tier modules. Only 48% of Chief Information Security Officers (CISOs) effectively manage third-party compliance due to fragmented regulations.

In the retail industry, systemic interdependencies turn every supplier, technology partner, and service provider into a potential avenue for a cyber‐attack. For example, a breach at a small third‐party logistics firm handling back-room inventory, or a vulnerability in an open-source e-commerce plugin used by a boutique fashion supplier, can be exploited to “island-hop” into the department store’s core systems. This is how attackers gained entry to Target in 2013 via its heating, ventilation, and air conditioning (HVAC) contractor. Today’s retailers rely on cloud-hosted POS platforms, real-time inventory-management systems, loyalty programme APIs, payment processors and outsourced marketing agencies, often without full visibility into each partner’s security posture. When one node fails, thousands of stores can experience stock-outs, payment-processing outages and breaches of customer data simultaneously. This “concentrated dependency” not only disrupts sales and damages brand reputation but also triggers regulatory fallout and hefty remediation costs.

[5] Risk factors from supply chain interdependencies in a complex cybersecurity landscape

Key value chain cyber risks and mitigations in the retail industry

From Internet of Things (IoT) device vulnerabilities to social engineering attacks and data breaches, these are the main value chain cybersecurity risks retailers face and how they can be combated

IoT device vulnerabilities 

Retail has undergone rapid change in the last decade, bringing rise to e-commerce and customers who prefer shopping online to in-store. Retailers are no strangers to cyber threats on websites and mobile apps, including

• “formjacking,” where hackers inject malicious code into a webpage, most often a payment page form,
• “scraper bots,” that extract content and data from websites for price undercutting and content theft, and
• “electronic skimmers”, that steal payment data from visitors from input fields or fake checkout pages.

However, their physical storefronts are increasingly vulnerable to cyberattacks too. Stores feature diverse IoT devices: “smart” appliances that are connected to the internet. These include customer-facing systems like self-checkout kiosks, smart sensors that track customer paths, monitoring tools that optimise inventory management and climate control systems. While these devices help increase efficiency and improve customer experiences, they are also each tied to the open internet, making them vulnerable to nefarious activity.

Social engineering attacks

Phishing and other social engineering attacks are primary threats to the retail industry. RH-ISAC’s Retail & Hospitality Industry Insights Report confirms that 90% of reported cyber incidents in the retail industry result from social engineering, system intrusion, or basic web application attacks. Threat actors can access retailers’ networks via social engineering attacks, where they manipulate employees and trick them into revealing confidential information, granting unauthorised systems access, or otherwise compromising cybersecurity.

Not limited to their own employees, a common tactic is to send phishing emails or call the support desk of a retailer’s vendor. The methods are largely the same: a hacker poses as a trusted source, such as someone from an HR, IT or accounting team. Once trust has been secured, threat actors ask victims to hand over login credentials or direct system access.  Because many retailers and vendors share login credentials, this oversight can end up giving hackers full access to a retailer’s network, allowing them to deploy ransomware, install malware, or steal sensitive data. Advances in artificial intelligence and deepfake technology have led to social engineering attacks becoming more realistic and successful than ever.

Third-party vendor breaches

Retailers’ systems are often directly integrated with third-party vendors’, such as suppliers, logistics providers, and payment processors. These partnerships help streamline data transfers and improve efficiency, but also open doorways for bad actors to attack. If a hacker manages to exploit a vulnerability in a vendor’s system, they can take advantage of the retailer-vendor connection to gain access to the retailer’s network. While APIs and other connections enable seamless communication, they can also enable data theft. If connections are not sufficiently secure, hackers can easily intercept them to steal data during transfer, such as customer payment information. Vendors that do not have a direct connection to a retailer’s systems still represent a vulnerability. Data theft is the most obvious and immediate. But retailers can also face ransomware attacks, operational downtime, loss of customer trust, reputational damage, and even regulatory penalties in the wake of data breaches.

Experts from the UK’s National Cyber Security Centre (NCSC) stress that cyber risk should be a corporate governance theme, treated with the same seriousness as financial and legal risks. Incident response planning, including clear plans for operating without IT systems for extended periods and rebuilding tech infrastructure post-incident, should be a non-negotiable requirement for executives to develop actionable disaster recovery plans. The human factor in cybersecurity remains a persistent vulnerability. Most organisations conflate awareness with training by bombarding employees with information instead of practical skills. Secure practices must be easy to adopt and embedded into daily routines without creating trade-offs between productivity and security. Regular exercising and simulation including tabletop exercises are necessary to make the threat tangible and clarify roles and responsibilities for board members.

When one supplier fails: how the Marks & Spencer hack rippled through UK retail

Several UK retailers were recently hit by cyberattacks, with the most notable being on Marks & Spencer by the Scattered Spider hacking group. The breach resulted in a GBP 300 million hit to operating profits and wiped GBP 700 million off its market value. The breach, attributed to human error at a third-party supplier, forced the suspension of online operations for over three weeks, disrupting GBP 3.5 million in daily digital sales and affecting services including contactless payments and click-and-collect services. The disruption lasted almost three months, until July 2025. While no payment details or account passwords were compromised, the attack exposed customer personal data, including contact details and online purchase histories, leading to a class action lawsuit. The incident has significantly impacted consumer confidence, with recommendation rates dropping from 87% to 73%, though underlying trust remains at 82%. CEO Stuart Machin is facing a GBP 1.1 million reduction in compensation, reflecting the growing accountability for cyber security at the executive level. The breach has wider consequences for the retail sector, driving a 10% increase in cyber insurance premiums and highlighting the critical importance of robust security measures in modern retail operations. Four suspects in connection with these coordinated cyberattacks have since been caught. As part of rebuilding efforts, Marks & Spencer and Co-op launched promotions for customers and staff to thank them for their support.

Interestingly, this recent slew of cyberattacks on UK retailers has revealed a significant disparity in risk management approaches, with Harrods and Co-op lacking cyber insurance coverage while Marks & Spencer maintained substantial protection. The attacks forced the Co-op to suspend contactless payments in approximately 10% of its stores and led to Harrods reporting unauthorised system access attempts. While Marks & Spencer faces potential losses of GBP 300 million, their GBP 100 million cyber insurance policy, arranged by WTW with Allianz as the primary carrier, provides crucial financial protection. The incidents have prompted industry experts to predict increased demand for cyber insurance, though insurers are expected to enhance their scrutiny of coverage applications. This series of attacks occurs against a backdrop of evolving cyber threats, with UK cyber claims showing a 20% decrease in 2024 while remaining significantly higher than pre-2023 levels. While cyber-insurance can be a tool for risk transfer, it cannot substitute for foundational controls. Targeted policies, addressing both first and third party costs, are important with mature providers offering valuable incident response services.

The systemic interdependencies within industries and markets are evident, given that the incident at Marks & Spencer triggered similar attacks on Harrods and Co-op, also claimed by Scattered Spider. According to RH-ISAC, ransomware now accounts for 30% of retail security incidents, with average losses reaching USD 1.4 million per attack. The breach's origin through third-party supplier vulnerability emphasises the complex challenges retailers face in securing their digital infrastructure. This wave of attacks highlights that the need for effective cyber risk management in retail demands comprehensive insurance coverage and rigorous oversight of third-party suppliers and coordinated incident response strategies to ensure effective management of these crises.

Conclusion: From cascading vulnerabilities to cyber resilience in the value chain

A rise in digital innovation has transformed the retail industry into a highly interconnected ecosystem, expanding the attack surface and amplifying systemic vulnerabilities. Large department stores rely on multi-tiered value chains spanning hundreds of third-party vendors, cloud services, and IoT devices, with each interaction offering potential entry points for threat actors and creating blind spots that are difficult to monitor and secure. Furthermore, smaller suppliers, which often lack the budgets and expertise for robust cybersecurity, introduce further weak links. Cyber inequity has been identified as one of the leading cybersecurity risks. By supporting smaller organisations in meeting security standards, larger, resource-rich organisations can strengthen the entire network’s security, ensuring a more resilient cyber ecosystem.

Building resilience against value chain cybersecurity threats in the retail sector requires a holistic and proactive approach rooted in best practices and robust frameworks. Retailers must prioritise risk-based supplier assessments, conduct rigorous due diligence, and implement clear contractual requirements that define security controls and incident response protocols. Continuous monitoring by leveraging technologies like automated risk assessment platforms and Software Bill of Materials (SBOMs) is essential to maintain real-time visibility into supplier security and swiftly identify vulnerabilities. Adopting industry-recognised frameworks such as NIST and ISO 27001, and aligning with regulatory standards like PCI-DSS (Payment Card Industry Data Security Standard), further strengthens the foundation for effective cybersecurity management. Collaboration is equally critical: sharing threat intelligence, participating in industry initiatives like IADS partner RH-ISAC’s LinkSECURE and the NCSC’s Cyber Essentials framework, and supporting the cyber maturity of smaller suppliers all help close gaps across the value chain. By embedding these best practices into everyday operations, retailers can mitigate the risk of operational disruptions and data breaches while fostering trust with customers and partners transforming cybersecurity from a compliance requirement into a driver of sustainable business growth.

Credits: IADS (Anchita Ranka)