Retailers: Why Are They So Often Targets Of Cyber Attacks?
Over the past few months, a wave of cyber attacks has swept through the UK retail sector, disrupting some of the country’s largest brands. Adidas, Harrods, The Co-Op and most publicized due to the impact of the attack, Marks & Spencer, have all been targeted by cyber criminals, resulting in outages, data breaches and multi-million-pound losses.
But why are these retailers so frequently targeted by attackers? This blog post will explore the unique risks that retailers face, what we can learn from recent incidents and how the sector as a whole can protect itself from future attacks.
What makes retailers attractive targets for cyber criminals?
Retailers are ideal targets for attackers for one simple reason: they sit on a huge volume of valuable personal data.
Customer personal data is valuable, with data such as names, email addresses, payment details and even buying habits being easy to monetise, whether that be selling it on the dark web, or by using it to target individuals. For example, if an attacker knows the contact details and buying habits of a customer, they could use this data to create better phishing emails that the victim is more likely to fall for. Someone is much more likely to click on a link promising them a discount on a desirable product than something more generic, like a password-reset email.
The allure of this personal data isn’t the only reason retailers are such ideal targets. In addition to this, the IT systems these companies often have in place are usually of a much lower quality than the systems used by somewhere such as a bank. Especially in large retail businesses, there is a significant risk that IT systems can be outdated or underfunded, with the required security overhaul for defending against more sophisticated attacks not being carried out.
On top of this, large companies often rely on off-the-shelf security solutions and third-party vendors to manage certain aspects of the business, which often act as an easy point of entry for attackers. You’ll soon see that attackers gaining access by taking advantage of third-party suppliers is a common trend between some of the recent attacks.
How did these attacks happen and what was the impact?
Next, we’ll look at a few of the recent attacks on large retailers to identify a few common trends on how attacks have been carried out.
Marks & Spencer
On Easter Weekend 2025, Marks & Spencer was hit by a ransomware attack believed to be carried out by a group of hackers who tricked third-party IT helpdesk staff into giving them access to company systems. This is known as a ‘social engineering’ attack, where human error is relied on to gain unauthorised access to accounts and systems. In this case, it is believed that two IT logins were used as part of the attack.
While the most significant impact to the business was the damage it caused to their online services, preventing shoppers from using the service for six weeks, another aspect of the incident is the fact that the personal data of up to 9 million online shoppers has been compromised, with the impacted data potentially including names, dates of birth, contact information, home addresses and online order history. Even though it’s been confirmed that account passwords haven’t been compromised, Marks & Spencer said that for peace of mind, customers can still reset their account passwords.
The Co-Op
Similar to the Marks & Spencer attack, attackers also targeted third-party support staff, with them impersonating employees to get passwords for accounts with system access reset. There were two key differences between the steps Co-Op took compared to Marks & Spencer, which greatly reduced the impact of the attack:
Faster incident response: Co-ops internal security teams acted much faster once the breach was detected. They instantly restricted system access and isolated affected areas, preventing the ransomware that hit Marks & Spencer from being executed.
Greater access control measures: Co-op had more granular access control measures in place for third-party vendors and internal administrators. This meant that attackers couldn’t freely access systems fully using just one account. On the other hand, it was reported that in the Marks & Spencer attack, a third-party supplier may have had too much access, making the attack just that bit easier.
Harrods
In May 2025, Harrods was targeted by an attack where internal data, including that of staff and sensitive documents, was stolen. Unlike the Marks & Spencer and Co-Op attacks, customer-facing systems were largely unaffected, though some of what was compromised was later leaked online. At this time, it’s unknown exactly who attackers targeted, though due to them conducting a social engineering attack to get passwords, it’s likely that IT staff were involved in some form.
What can retailers do to combat this issue?
While it’s clear why retailers are appealing targets for attackers, it’s also clear that they aren’t completely helpless. There are many things that these businesses can do to dramatically reduce the likelihood of an attack, and many of these are also likely to apply to your business too:
Train staff to spot attempted attacks: Social engineering attacks mainly succeed due to human error and misplaced trust. To help combat this, staff should receive regular training, whether that be in the form of delivering staff training content or by creating realistic phishing simulations. Both of these will help staff keep in mind what they need to look out for with phishing emails and reduce the likelihood that they’ll fall for one. PRIVACY HELPER’s online staff training service includes content on this exact topic. Click here to learn more about how our staff training service can help protect your business.
Third-party due diligence is key: Your security is only as strong as your weakest link. All these retailers probably had a high level of security overall, though attackers only need to find one point of weakness to carry out an attack. In many of these cases, attackers targeted third-party contractors, some of which are based abroad, where it was much easier for them to get the access they need. Stronger or more frequent due diligence checks on your third-party suppliers are likely to help identify this weakness in processes and staff training, allowing you to put the necessary measures in place to reduce the chances of an incident like this happening. If you’re concerned that some of your suppliers could act as a point of weakness for your business, take a look at our Supplier Due Diligence page to see how PRIVACY HELPER can assist.
Limit the impact of successful attacks with access controls: The damage caused by an attack will depend on how connected your internal systems are. For example, Marks & Spencer suffered more than Co-Op, who, by comparison, allowed attackers significantly less access. They did this by more strictly separating critical systems and only allowing access to certain areas of a system for those who need it to complete their job responsibilities. Doing this will reduce both the amount of damage an attacker can easily cause and the amount of personal data they have readily available. If you have the resources available, you could also conduct an “assume breach” test, where you aim to simulate a cyber attack to identify potential vulnerabilities in your systems.
Have a clear and practiced incident response plan: Many businesses are hit much harder by attacks due to them responding too slowly. Until an attack happens, it can be difficult to know how quick your response actually is. Having a strong and well-tested breach response plan can help contain the breach quickly, which is likely to limit impact and downtime. You should assign and document clear roles and responsibilities for your crisis team. Having this in advance prevents you from having to decide this during an attack.
Next steps
Ensuring that you handle, process and store personal data in a way that’s in line with the law isn’t easy. To be confident that you’re compliant, and to address any concerns you may have, contact PRIVACY HELPER today, and let us remove the stress of managing data protection compliance within your business.
Follow us on LinkedIn
