In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
The retail sector may be under siege. While healthcare and finance sectors were previously the main focus, threat actors now appear to be shifting their efforts toward retail and its supply chains, driving both into rough edges.
Just under one month, the likes of Marks & Spencer, Co-op, Harrods, Christian Dior, and most recently, a Logistics firm Peter Green Chilled, have all been hit. Google’s security team warns that the group behind these attacks, rumored to be Scattered Spider, may be marching against US retailers next. The warning was made more emphatic last week by Google’s Threat Intelligence Group chief analyst John Hultquist, who shared on X, “Shields up, US retailers. They’re here.”
If there is anything we can take away from these retail data breaches, it is that they’re not stray bullets. They smack of cyber hits carefully planned and orchestrated.
However, what has remained elusive is why threat actors are pushing so hard on retail organizations. What vulnerabilities are giving retailers away, almost cheaply?
Key Takeaways
- Retail data breaches are on the rise, with both large brands and logistics firms being targeted.
- Recent attacks may appear random, but remain likely a part of coordinated, large-scale campaigns.
- Weak vendor systems and outdated infrastructure are major entry points due to a lack of consistent security reviews.
- Basic data, such as names and emails, could be used for targeted phishing and impersonation.
- Response speed is critical to minimizing damage and downtime after a breach.
Retailers as the Low-Hanging Fruits
It’s hard to say exactly why cybercrime groups have zeroed in on major retail brands in recent months. Financial gain is the usual suspect, and that’s certainly part of it. But if profit alone were the goal, there are sectors with far deeper pockets. So why retail?
The answer likely lies in the industry’s underlying vulnerabilities. Retail may not top the revenue charts, but it sits at the intersection of sprawling supply chains, legacy systems, and high employee turnover – an ideal mix for attackers looking to exploit weak retail cybersecurity at scale.
The motive, then, may be less about chasing the biggest payout and more about hitting where defenses are spread thin.
This line of thought resonates with many cybersecurity experts. 0rcus CEO and Co-Founder Nick Adams told Techopedia:
“Attackers see the retail and logistics ecosystems as multi-dimensional attack surfaces, ripe for hybrid exploitation because they occupy the nexus of physical goods, financial flows, and data highways.”
Adams believes that while ransomware paydays are attractive, “the grand prize is supply chain subversion: implanting backdoors in vendor software, injecting poisoned firmware, or corrupting logistics telemetry.”
For Josh Davies, Principal Market Strategist at Fortra, cyber criminals who attack retailers are also motivated by the opportunity to profit in multiple ways. Speaking to Techopedia, he explained, “Every minute of downtime could be a lost sale,” citing recent incidents where websites crashed, online orders were halted, card payment systems went offline, and stocking systems failed, all of which led to direct financial losses.
He further pointed out that retailers are prime targets because they store sensitive personal and payment data. “That information can be sold on the dark web, and if stolen, it triggers compliance fines and fraud monitoring costs.”
Where the Main Retail Cybersecurity Challenges Lie
Much of what drives retail breaches comes down to three common weaknesses, according to Dave McGrail, Head of Business Consultancy at Xalient, and Chris Woods, Founder and CEO at CyberQ Group.
The first stage is social engineering targeted at IT helpdesks, which often lets hackers impersonate employees to reset passwords or disable multi-factor authentication, gaining direct access.
Once they gain access to the system, hackers commonly use Microsoft Active Directory to reach and extract the database that stores password hashes for domain users.
Finally, IoT devices like smart inventory trackers and connected POS terminals introduce vulnerabilities that hackers exploit to access networks unnoticed.
But beyond these factors lie other weak links that may be watering down cybersecurity efforts in retail. CEO of C2 Data Technology, Mike Logan, noted that third-party access remains one of the easiest entry points for attackers.
He explained:
“Many retailers work with a scattered network of vendors but don’t have full visibility into how secure those partners actually are. Those weak links aren’t always visible, but have become a common and often way-too-easy entry point for attackers.”
Logan also flagged the risks around outdated systems still running inside stores and warehouses. He said:
“Older POS terminals, routers, or warehouse infrastructure can’t support the latest security updates. The problem is worse on the hardware side, where fixes are slower and often require costly replacements.”
Jay Bavisi, Group President at EC-Council, noted how attackers are increasingly taking advantage of “low-risk” data. Names, phone numbers, and emails aren’t usually protected with the same urgency as payment information. But once stolen, that data can be used to impersonate staff or customers, making retail data security a primary concern.
Bavisi told Techopedia:
“Attackers use this information for highly targeted phishing, impersonation, and credential harvesting campaigns.”
These entry points don’t require advanced tools or zero-day exploits, but on routine oversights such as unpatched systems, unsecured accounts, and staff not trained to spot subtle manipulation.
What Every Retailer Can Do to Stay Ahead
There’s no shortage of advice on how to respond after a breach. But the more important work happens before attackers get in.
Be that as it may, Logan of C2 Data Technology says retailers need to up their response planning efforts rather than allow it to sit as an afterthought.
He told Techopedia:
“We’ve seen incidents where retail businesses spend over a week recovering from an attack that could have been remediated in under 48 hours. Speed is everything in these moments.”
The delays aren’t always technical, as many come from not knowing what to do when systems go down. It’s not just about recovery, either.
Logan also calls on large retail chains to incorporate full environment visibility as part of their retail cybersecurity solutions. He explained:
“Retailers need real-time monitoring on both physical and virtual infrastructure, and that includes third-party systems they rely on day to day.”
Without that, attackers can move freely for days or weeks before they’re even noticed.
After this many retail data breaches, it’s crucial to pursue long-term cyber resilience, Jordan Avnaim, Chief Information Security Officer at Entrust, echoed this in his statement to Techopedia. He advised:
“Retailers that treat cybersecurity as a business risk, not just an IT issue, will be best positioned to weather this evolving threat landscape.”
That mindset also extends to the supply chain – an often overlooked but critical area of exposure. Sam Peters, Chief Product Officer at ISMS.online, urges retailers to take a more proactive stance.
Peters told Techopedia:
“We would also urge organizations to understand and map their supply chain risks. Knowing what you have and what risks and opportunities exist within your supply chain is the most important step in improving security.”
The Bottom Line
Reports that M&S may incur nearly £300 million in losses after a significant cyber incident should serve as a stark warning to retail chains. These attacks highlight how exposed the retail sector has become as digital operations expand and reliance on third parties grows.
Experts suggest taking practical steps to stay ahead: gaining full visibility across systems and vendors, mapping supply chain risks, and clearly defining incident response roles and plans.
For those already affected, speed is critical. Delays often result not from a lack of technology but from confusion over what to do once systems are compromised. The faster a business can detect and respond, the more it can contain the damage and avoid becoming the next cautionary headline.
