In recent weeks, cyber attacks have shifted from sporadic news items to regular national headlines. Marks and Spencer’s, Co-op, Harrods, alongside international brands like Dior and Coinbase, have all recently been targets of cyber incidents. Retailers, in particular, are being increasingly targeted, and while not every incident receives media attention, it is evident that retail crime is surging at an unprecedented rate. The sector faces dual issues: significant investment in customer-facing cyber infrastructure paired with inadequate investment in cyber security.
Data from the Information Commissioners Office (ICO) shows that phishing and ransomware attacks have significantly increased across all sectors since 2019. However, the retail and manufacturing sector has seen one of the sharpest rises of any tracked industry. In 2019, reported attacks in this sector were below 2,000 annually. By 2024, that number had more than doubled to over 4,000 incidents. From 2022, the retail sector’s incline is steep, overtaking every other industry by 2024. The general trend indicates that while cyber crime is climbing everywhere, retail suffers the most.
Two post-pandemic shifts have accelerated retail cyber crime: the shift from cash to plastic and the push for personalised advertising, relying on vast customer data. The 2025 Ransomware Report by cybersecurity firm Delinea, shared exclusively with City AM, confirms attackers are increasingly strategic and destructive.
The report reveals that 69 per cent of organisations surveyed have faced a ransomware breach, with over a quarter being hit more than once. Alarmingly, 60 per cent of these attacks now involve data extortion, with the theft and potential publication of sensitive information. Yet, only 33 per cent of businesses have implemented effective access controls like least privilege policies, leaving harmful gaps in cyber defences.
Sophisticated criminal groups are exploiting these vulnerabilities through AI-driven attacks, deepfake social engineering, and compromised credentials. With advancing AI tools, threat actors are not only breaking into systems but also evading detection, automating target selection, and amplifying the resulting chaos. Experts point out the combination of valuable data, outdated IT infrastructure, and a history of under-investment in cyber security as key issues. Professor Feng Li of Bayes Business School says, “Retailers on tight margins have historically underinvested in comprehensive cyber security. As they’ve layered digital systems on top of legacy infrastructure, they’ve widened the attack surface.”
In practice, attackers face less resistance when infiltrating retail systems and more potential reward. Cyber gangs like Scattered Spider, reportedly behind the M&S breach, increasingly target retailers with tailored phishing and ransomware campaigns, using stolen credentials and insider information to move quickly and quietly through systems. According to Schniederbanger, high staff turnover in retail exacerbates the problem, as accounts and credentials are often created faster than they are removed, and helpdesks can’t match the increased activity during seasonal peaks, increasing vulnerability.
The financial fallout of these attacks is becoming increasingly visible. After its recent cyber incident, the share price of supermarket giant Marks and Spencer’s fell sharply, from around 405p in mid-April to just 345p by early May — a nearly 15 per cent drop in less than a month. The timeline shows a stark correlation between the attack’s disclosure and investor reaction, indicating that cyber security is now a boardroom issue, not just a technical one. Despite some recovery in late May, consumer confidence remains damaged. M&S estimates the hit to its operating profit at £300m, with analysts warning of reputational harm and a loss of consumer trust that may take years to mend.
The Delinea report highlights the chaos ransomware can bring. About 75 per cent of victims recover within two weeks, and less than 1 per cent struggle beyond a month, but outliers can suffer devastating consequences. In June 2023, KNP Logistics collapsed following a ransomware breach, causing 730 job losses. A year later, a similar attack on NHS supplier Synnovis led to thousands of cancelled procedures and a blood donation emergency in London.
