9 minutes to read With insights from... Dr. Raphael Reischuk Group Head Cybersecurity & Partner raphael.reischuk@zuehlke.com Denis Kolmanic Head of Retail denis.kolmanic@zuehlke.com The global retail industry is at a tipping point. A growing wave of cyber attacks is sweeping through the sector, raising serious concerns about the industry’s cyber hygiene and resilience. Once seen as a lower-priority target, it is now squarely in the crosshairs of sustained assaults that may lack sophistication but are devastatingly effective.In April alone, established brands including Marks & Spencer, Co-op, Harrods, Victoria’s Secret, Dior, and Adidas, found themselves at the receiving end of cyber intrusions. More recently, in June, the list expanded to include United Natural Foods, Cartier, and The North Face.These incidents form only the visible tip of a much larger, evolving threat landscape. Copycats are likely already circling. So, the retail industry faces a choice – invest in robust cybersecurity and protect your customers' trust, or risk a strategic crisis that jeopardises your entire business.As a retail leader, we believe it’s time for you to act decisively. That means modernising legacy systems, strengthening identity and access controls, thoroughly vetting third-party relationships, and preparing your workforce to handle emerging threats like deepfakes.Cybersecurity can no longer be siloed in IT, it must become a core strategic pillar of retail operations. Keep reading to discover our perspective on the essential steps retailers must take now to build resilience and avoid becoming the next victim. Inside retail cyber attacks of 2025: the rise of social engineering The recent wave of attacks is not an isolated surge but part of an ongoing trend that we believe will only accelerate and spread to other industries. As cyber attackers grow more emboldened and copycat behaviour increases, retailers must understand who they’re up against and how these groups operate.Several of the recent attacks have been attributed to Scattered Spider, a Threat Actor (TA) known for its methodical infiltration techniques. Unlike opportunistic hackers who exploit technical vulnerabilities, Scattered Spider typically spends time researching its victims and leveraging social engineering tactics, particularly against IT departments. By impersonating trusted insiders, the group deceives employees into surrendering valid login credentials. Evidence suggests the group may have compromised hundreds of organisations in just the past 2 years. Once access is gained, Scattered Spider typically deploys Dragonforce ransomware, a commercially available Ransomware-as-a-Service (RaaS) tool. By outsourcing the malware component, the group prefers to focus on reconnaissance, initial access, and lateral movement within the network. Victims are then presented with ransom demands, payable in cryptocurrency.To better understand the makeup of this TA, recent arrests offer valuable insight. Scattered Spider is not a structured, hierarchical organisation but rather a loosely connected group of individuals - primarily young (under-25) native English speakers, based in the US and UK. This linguistic and cultural alignment gives them an advantage when impersonating employees and maneuvering through Western corporate environments with alarming ease. The fallout: what happens when retail gets hacked $4.9 million: global average cost of a data breach 78% of companies that paid a ransom were hit by a second attack, often by the same threat actor 1 in 4 cybercrimes are aimed at the retail industry £270 million – £440 million: estimated total financial impact of attacks on M&S and Co-op The consequences of a cyber attack in the retail sector extend far beyond the IT department. These incidents strike at the core of consumer trust, disrupt operational continuity, and pose serious financial risks. The damage is often swift, far-reaching, and costly.Many retailers report reputational harm in the aftermath of a cyber attack. According to Statista, 56% of consumers will not trust a company that has recently experienced a data breach. This loss of customer trust inevitably leads to a decline in sales and widespread public backlash, especially when sensitive customer data is compromised.Regulatory fallout is also on the rise. Retailers found to be in breach of data protection laws such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and others can face significant penalties. Under GDPR, fines can reach up to €20 million or 4% of annual global turnover. These penalties are not only financially damaging but also send a clear signal to customers and investors that the organisation failed to uphold its fundamental duty of care. On the operational front, disruption is often both immediate and severe. In recent cases, impacted retailers had to take their ecommerce platforms offline, suspend in-store transactions, and disable critical internal systems for several days. The global average cost of a data breach stands at $4.9 million. To make matters worse, financial markets respond swiftly and unforgivingly.When Marks & Spencer was targeted earlier this year, its share price plunged by 6.9%, erasing nearly £700 million in market value within days. To put this into perspective, the company had spent the better part of three years rebuilding investor confidence and adding £3 billion in value through a widely praised turnaround, only to see a quarter of that progress undone in less than a week due to a single cyber attack.Additionally, the latest analysis by the Cyber Monitoring Centre, estimates the total financial impact of the cyber attacks on M&S and Co-op at between £270 million and £440 million. This figure reflects direct business interruption costs, incident response and IT restoration expenses, as well as legal and notification costs incurred by both retailers. In a sector already constrained by thin margins and high competition, a single cyber incident can escalate into a full-blown strategic crisis. As such, cybersecurity must become a board-level priority.How cyber attackers exploit retail’s complexityThe retail sector presents a uniquely challenging environment for cybersecurity and attackers know this. According to Shopify, around a quarter of all cybercrimes are aimed at the retail industry. The sector’s complexity is not just technical, but also deeply embedded in the way the industry functions. Factors that have inadvertently created security vulnerabilities includeThird-party dependencies: From payment processors to logistics providers and IT Service providers, retailers rely on a sprawling ecosystem of vendors, many of which have their own security shortcomings. A breach in any part of this chain can impact the entire organisation.Omnichannel operations: The need for integrating physical stores, websites, apps, franchises, and support-desks adds further complexities. These interconnected systems must exchange data seamlessly in real time, creating multiple points of entry for attackers to exploit.Seasonal staffing: Temporary employees hired for the high season may lack adequate cybersecurity training, while high turnover reduces institutional knowledge and increases the risk of insider threats.Rapid digital transformation: To make matters worse, the industry’s rapid digital transformation has often prioritised speed over security. Legacy systems, hastily integrated with new digital infrastructure, have become easy targets for sophisticated threat actors.In short, the retail sector’s operational complexity, decentralised structure, and thin margins make it especially vulnerable. Without a significant shift in how cybersecurity is prioritised, the sector will continue to be a high-value, low-resistance target. From reactive to ready: How to stay ahead of the cyber threat There is no shortage of threat actors targeting the retail sector for their own personal gain. The industry must adopt a proactive, layered defence strategy. 1. Prioritise Identity and Access Management 1. Prioritise Identity and Access Management Identity and Access Management (IAM) must be a foundational priority. Enforce strict access controls and ensure multi-factor authentication (MFA) is implemented, but not via SMS, which are susceptible to sim-swapping attacks.Follow the principle of least privilege by granting users only the access necessary for their roles and review access privileges regularly for both human and non-human identities to minimise unnecessary exposure. 2. Invest in detection, response, and recovery capabilities 2. Invest in robust detection, response, and recovery capabilities Organisations must also invest in robust detection, response, and recovery capabilities. It’s not enough to prevent an attack, teams must be prepared to detect early warning signs, contain breaches quickly, and recover operations in a timely manner.In the absence of such preparation, some companies resort to paying ransoms in the hope of restoring access following an attack. But this approach rarely ends the crisis. In fact, 78% of companies that pay a ransom are hit by a second attack, often by the same threat actor.Generally, it’s wise to operate under the assumption that a cybersecurity breach will happen at some point. Don’t think about it as an ‘if’ but rather a ‘when’. Shifting your mindset from prevention to resilience is crucial as those with tested incident response plans and strong recovery mechanisms will be far better positioned to minimise operational damage. 3. Maintain strong cyber hygiene 3. Maintain strong cyber hygiene Maintaining strong cyber hygiene is essential. This means keeping systems consistently patched, enforcing proper network segmentation, and applying foundational principles like defence in depth and the zero trust model. When implemented effectively, these measures can greatly reduce both the likelihood and impact of security breaches.As part of your cyber hygiene efforts, don’t overlook the critical risk posed by legacy technology. Attackers will always try to go for the weakest link and these systems often lack the latest security patches and other controls. Modernising legacy systems is not just a technical necessity, but a strategic defence measure. 4. Monitor and prepare for emerging cyber attacks 4. Monitor and prepare for emerging cyber attacks Emerging threats, such as AI-generated deepfakes and impersonation tactics, demand heightened skepticism and verification procedures, especially in communications involving credential access or financial transactions.Organisations should establish a culture of healthy scepticism, encouraging employees to question and validate unusual or unexpected requests. When in doubt – validate through a trusted, secondary channel. Promoting this mindset across all levels of the organisation is key to mitigating socially engineered attacks. 5. Continuously train your staff 5. Continuously train your staff Human risk continues to be one of the most significant vulnerabilities. According to Verizon’s 2025 Data Breach Investigations Report, 60% of breaches last year involved a human element. So, security training must move beyond basic compliance exercises.This means implementing well-structured programs tailored for the entire workforce, alongside specialised technical training for IT teams – for example, on the emerging topic of countering deepfake attacks. 6. Vet third-party vendors 6. Vet third-party vendors Finally, accountability cannot be outsourced. Third-party vendors must be brought into the scope of the cybersecurity program, with clearly defined expectations, and legally enforced controls.It is essential to maintain oversight of each vendor’s security policies and practices, and to ensure that contracts include legally binding requirements for timely incident notifications. This level of visibility and accountability is critical to minimising third-party risk and ensuring swift response in the event of a breach.Discover how we helped Migros secure its shopping experience: Learn more Invest wisely, act boldly, prioritise resilience The surge in cyber attacks targeting the retail sector is not a fleeting trend; it reflects a shifting threat landscape that demands urgent and sustained attention.As cyber threats become more sophisticated and persistent, traditional defences and reactive strategies are no longer adequate. Retailers must adopt a proactive, strategic approach that encompasses people, processes, and technology.Cybersecurity can no longer be confined to IT departments or regarded as a routine operational cost. It must be embedded within the fabric of retail operations and championed at the highest levels of leadership. The cost of inaction is loss of trust, regulatory sanctions, operational disruption, and financial harm. This cost is simply too great in the competitive world of retail. Retailers must begin treating cybersecurity with the same level of rigour as highly regulated sectors like financial services and healthcare.At Zühlke, we bring deep expertise from complex, highly regulated industries to help retail organisations strengthen their cybersecurity resilience through tailored, end-to-end solutions. Whether you're facing legacy system challenges, third-party vulnerabilities, or need to embed security into your digital transformation, our experts are here to support you. Interested in diving deeper into retail cybersecurity? If you’d like to explore these challenges and solutions further (whether through a virtual session, workshop, or live event) please let us know by filling out the form below. You’ll be among the first to hear about upcoming retail cybersecurity activities and receive an exclusive invitation.