The UK is in the midst of a retail cybercrime spree. Harrods, Co-Op and the iconic Marks & Spencer (M&S) have all fallen victim to large-scale cyberattacks. While Harrods stores and its website remained open following its breach, M&S wasn’t so fortunate. As early as February, attackers infiltrated M&S’s systems, with immediate repercussions. M&S suspended all online orders, affecting both clothing and homewares sales, which make up a significant portion of its reven
venue. In-store operations were also affected, with disruptions to contactless payments and shortages of staple items in some locations, resulting in customer dissatisfaction.
Hundreds of employees, especially those working remotely, were unable to access internal systems and forced to revert to manual processes. The company’s market valuation fell by around £700 million, highlighting investor concern over the impact of the breach and M&S’s slow response.
The wave of attacks in the UK follows others around the globe, including in Australia, where Latitude Financial, which partners with major retailers like Harvey Norman, JB Hi-Fi, and The Good Guys, was hit by a major data breach in 2023, affecting more than 14 million customer records. The event became one of the largest of its kind in Australian history, triggering regulatory scrutiny and erosion of consumer trust.
In the US, the Kroger supermarket chain faced a breach via a third-party file transfer service, illustrating the growing risk of supply-chain and vendor-based vulnerabilities. Meanwhile, Home Depot, Target and Neiman Marcus have all suffered high-profile attacks in recent years.
Retailers have always worked hard to build consumer trust through quality, consistency, and service. But in today’s digitised commerce landscape, trust can hinge on something less tangible: data security.
Why is retail such an appealing target?
Few industries sit on as much rich, real-time data as retail. Retailers hold millions of customer profiles, detailed purchase histories, payment methods and behavioural data. This makes them attractive to cybercriminals – and uniquely exposed if they don’t take security seriously.
The digitisation of loyalty schemes, the expansion of retail media networks, and the push toward personalisation have opened new commercial frontiers. But these also expand the attack surface. The implications for retailers are clear.
Cyber incidents now erode brand equity, not just systems
As the M&S case shows, even minor lapses create outsized reputational risk. Consumers expect retailers to manage data responsibly. The moment that trust disappears, conversion, loyalty and spend can quickly follow.
Retail media depends on data integrity
First-party data is the fuel of retail media. But if the source is seen as insecure, brands may pause investment, and consumers may opt out. A breach doesn’t just hit the IT team – it can stall one of retail’s most profitable growth engines.
Operational disruption can hit peak trading
When the Woolworths MyDeal platform was breached in 2022, exposing the data of 2.2 million customers, it prompted a swift shutdown, security audits, and ongoing scrutiny. In a digital-first world, one breach can knock out e-commerce sales or delay fulfilment, or disrupt promotional campaigns.
Retailers are accountable for their partners
Many breaches happen via third-party vendors – file storage, loyalty tech, analytics platforms. Retailers must audit partners as closely as they audit their own systems.
So, where does this leave retail leaders?
Cyber resilience must become a commercial imperative, not just a technical one. That means embedding security into every digital transformation initiative, treating cyber-risk as a brand protection strategy rather than merely an IT function, investing in breach preparedness and consumer communication protocols, and rigorously vetting partners, platforms and vendors as part of robust data governance.
Because when trust is broken, customers don’t just walk away – they click away. And the next retailer is only ever a swipe or a scroll away.
Cybersecurity isn’t just about keeping the bad guys out. It’s about signalling to customers that their data – and their loyalty – is worth protecting.