Cyber advisory: UK retailers under attack

Background

Major UK retailers, including Marks & Spencer, Harrods and Co-op, have recently confirmed cyberattacks, with suspicions pointing to cyber threat group Scattered Spider. While it remains unclear if the incidents are connected, they have caused notable disruption for customers and staff. In response, CyXcel’s Steve Sandford, Partner, Incident Response and Digital Forensics, and Stewart Duffy, Legal Director, share their guidance for retailers looking to strengthen their security measures.

Why are retailers prime targets for cyberattacks?

Retail businesses are prime targets for cybercriminals, largely because they:

• Handle large volumes of sensitive data, including customer payment information and personal details for loyalty schemes and advertising purposes, which are valuable to threat actors.
• Operate complex supply chains, making them vulnerable to security gaps and third-party breaches.
• Rely on uptime and customer trust, such that any disruption can lead to reputational and financial damage, increasing the pressure to pay ransoms.
• Often use older technology which may lack modern security features with vulnerabilities that are harder to patch.
• Experience high employee churn, which can lead to inconsistent cybersecurity training.

From point of sale (POS) breaches and account takeover fraud to eCommerce attacks and ransomware – it is clear that outdated or overstretched controls simply aren’t enough for companies operating in the retail sector.

How can retailers build their resilience to cyberattacks?

Focus on Data Protection

Threat actors cannot steal or encrypt data which you do not collect or retain. The costs and impact of responding to data exfiltration or ransomware attacks can be needlessly amplified by collections of personal data which were never, or are no longer, necessary for business need. Other personal data collections could be rationalised, or streamlined, by redesigning processes with a privacy by design and default approach to personal data.

Data protection expertise can facilitate the achievement of business goals whilst avoiding the accumulation of unnecessary risk. That is why it is important to have a ‘critical friend’ with appropriate skills and knowledge in data protection practice to bring constructive challenge to your data collection practices. Prevention is always better than cure. Furthermore, ensure you have a clear understanding of what data you are collecting and for what purpose and reassess your organisation’s data collection practices and lifecycles.

Invest in cybersecurity – the technical and human aspects

For retail clients, security controls need to be practical, resilient and adaptive - particularly given the volume of customer data, transaction flow, and third-party integrations.

Here’s a structured approach for security teams to revisiting, strengthening and protecting your controls:

 1. Reassess the threat landscape

• Conduct a fresh risk assessment tailored to retail (e.g. POS malware, card skimming, loyalty program fraud, supply chain risks).
• Review threat intelligence feeds to understand trends such as credential stuffing, gift card fraud, and business email compromises targeting retail finance teams.

 2. Strengthen key security controls

Network and Perimeter

• Implement segmentation
• Use next-gen firewalls, web application firewalls and DNS filtering.
• Ensure all internet-facing assets are behind DDoS protection.

Endpoint and POS

• Deploy EDR/XDR tools on all endpoints, including POS systems.
• Disable unnecessary ports/services and apply application whitelisting on POS terminals.

Access management

• Enforce MFA for all staff, especially back-office systems.
• Implement least privilege access and regular reviews of role-based access controls.
• Monitor for stale or unused accounts, especially seasonal staff.

Data security

• Encrypt customer and payment data at rest and in transit.
• Tokenise or mask cardholder data.
• Store only the minimum required personal data.

3. Monitor and respond

• Ensure 24/7 monitoring through an in-house SOC or MDR provider.
• Integrate logs across POS, website, and internal systems into a SIEM platform.
• Define and test incident response playbooks for common retail threats.

4. Test and validate

• Run regular penetration testing including targeted assessments on payment flows and eCommerce portals.
• Conduct red/purple team exercises to assess detection and response effectiveness.
• Test business continuity plans, especially in peak trading periods.

5. Train staff

• Tailor security awareness training to include social engineering, refund fraud, and phishing.
• Include store staff, warehouse teams, and online support agents in simulations.

6. Third-party and supply chain management

• Vet vendors handling payments, logistics, marketing etc.
• Obtain and review SOC 2 or PCI-DSS attestations.
• Limit API access and continuously monitor for anomalies.

7. Regular governance reviews

• Review policies and controls quarterly to account for changes in store systems, eCommerce platforms, or customer engagement strategies.
• Map controls to key cybersecurity standards like NIS2 or ISO 27001, for structured oversight.

Conclusion

Retailers must be proactive in strengthening their cybersecurity measures. In today’s rapidly evolving cyber risk landscape, cyberattacks are no longer a matter of ‘if’ but ‘when’ for organizations operating in that space.

Background

Major UK retailers, including Marks & Spencer, Harrods and Co-op, have recently confirmed cyberattacks, with suspicions pointing to cyber threat group Scattered Spider. While it remains unclear if the incidents are connected, they have caused notable disruption for customers and staff. In response, CyXcel’s Steve Sandford, Partner, Incident Response and Digital Forensics, and Stewart Duffy, Legal Director, share their guidance for retailers looking to strengthen their security measures.

Why are retailers prime targets for cyberattacks?

Retail businesses are prime targets for cybercriminals, largely because they:

·        Handle large volumes of sensitive data, including customer payment information and personal details for loyalty schemes and advertising purposes, which are valuable to threat actors.

·        Operate complex supply chains, making them vulnerable to security gaps and third-party breaches.

·        Rely on uptime and customer trust, such that any disruption can lead to reputational and financial damage, increasing the pressure to pay ransoms.

·        Often use older technology which may lack modern security features with vulnerabilities that are harder to patch.

·        Experience high employee churn, which can lead to inconsistent cybersecurity training.

From point of sale (POS) breaches and account takeover fraud to eCommerce attacks and ransomware – it is clear that outdated or overstretched controls simply aren’t enough for companies operating in the retail sector.

How can retailers build their resilience to cyberattacks?

Focus on Data Protection

Threat actors cannot steal or encrypt data which you do not collect or retain. The costs and impact of responding to data exfiltration or ransomware attacks can be needlessly amplified by collections of personal data which were never, or are no longer, necessary for business need. Other personal data collections could be rationalised, or streamlined, by redesigning processes with a privacy by design and default approach to personal data.

Data protection expertise can facilitate the achievement of business goals whilst avoiding the accumulation of unnecessary risk. That is why it is important to have a ‘critical friend’ with appropriate skills and knowledge in data protection practice to bring constructive challenge to your data collection practices. Prevention is always better than cure. Furthermore, ensure you have a clear understanding of what data you are collecting and for what purpose and reassess your organisation’s data collection practices and lifecycles.

Invest in cybersecurity – the technical and human aspects

For retail clients, security controls need to be practical, resilient and adaptive - particularly given the volume of customer data, transaction flow, and third-party integrations.

Here’s a structured approach for security teams to revisiting, strengthening and protecting your controls:

1.    Reassess the threat landscape

·        Conduct a fresh risk assessment tailored to retail (e.g. POS malware, card skimming, loyalty program fraud, supply chain risks).

·        Review threat intelligence feeds to understand trends such as credential stuffing, gift card fraud, and business email compromises targeting retail finance teams.

2.    Strengthen key security controls

Network and Perimeter

• Implement segmentation
• Use next-gen firewalls, web application firewalls and DNS filtering.
• Ensure all internet-facing assets are behind DDoS protection.

Endpoint and POS

• Deploy EDR/XDR tools on all endpoints, including POS systems.
• Disable unnecessary ports/services and apply application whitelisting on POS terminals.

Access management

• Enforce MFA for all staff, especially back-office systems.
• Implement least privilege access and regular reviews of role-based access controls.
• Monitor for stale or unused accounts, especially seasonal staff.

Data security

• Encrypt customer and payment data at rest and in transit.
• Tokenise or mask cardholder data.
• Store only the minimum required personal data.

3. Monitor and respond

• Ensure 24/7 monitoring through an in-house SOC or MDR provider.
• Integrate logs across POS, website, and internal systems into a SIEM platform.
• Define and test incident response playbooks for common retail threats.

4. Test and validate

• Run regular penetration testing including targeted assessments on payment flows and eCommerce portals.
• Conduct red/purple team exercises to assess detection and response effectiveness.
• Test business continuity plans, especially in peak trading periods.

5. Train staff

• Tailor security awareness training to include social engineering, refund fraud, and phishing.
• Include store staff, warehouse teams, and online support agents in simulations.

6. Third-party and supply chain management

• Vet vendors handling payments, logistics, marketing etc.
• Obtain and review SOC 2 or PCI-DSS attestations.
• Limit API access and continuously monitor for anomalies.

7. Regular governance reviews

• Review policies and controls quarterly to account for changes in store systems, eCommerce platforms, or customer engagement strategies.
• Map controls to key cybersecurity standards like NIS2 or ISO 27001, for structured oversight.

Conclusion

Retailers must be proactive in strengthening their cybersecurity measures. In today’s rapidly evolving cyber risk landscape, cyberattacks are no longer a matter of ‘if’ but ‘when’ for organizations operating in that space.