The news: UK retailers are reeling from a series of cyberattacks that hit operations at Marks & Spencer, Harrods, and Co-op.

• In addition to exposing sensitive customer data to bad actors, the hacks have upended operations, resulting in empty shelves and stalled ecommerce sales.
• Although it is unclear if the incidents were linked, they are nevertheless a clear “wake-up call to all organisations,” Richard Horne, the CEO of the UK National Cyber Security Centre, said in a statement.

Exploiting vulnerabilities: Cybersecurity remains a considerable weakness for retailers because of hackers’ growing sophistication and their reliance on third-party tools.

• An investigation by ecommerce security firm Sansec found that between 500 and 1,000 ecommerce sites—including one multinational company—have been infected by malware from Magento extensions, leaving payment information and other sensitive data vulnerable.
• Both M&S and Co-op were hacked after a social engineering scheme enabled hackers to reset employees’ passwords.

Hackers are also growing bolder.

• Retailers faced 837 attempted cyberattacks in 2024, a 15% jump YoY, according to Verizon’s latest Data Breach Investigations Report. Half of those incidents resulted in a data breach, although just 12% involved payment information.
• Ransomware is becoming a major concern, with the number of occurrences surging 74.71% QoQ in Q1, per PDI Technologies.

Our take: At a time of economic uncertainty, cyberattacks can be particularly devastating for retailers—especially as they move to unify in-store and online operations, and rely on digital systems to handle everything from inventory management to payment processing.

• The attack on M&S has already reduced annual profits by £30 million ($38.3 million), and is expected to cost the retailer £15 million ($19.2 million) per week until it is able to fully restore operations, according to an analysis by Deutsche Bank.
• The M&S struggles are a cautionary tale for retailers on both sides of the pond, pointing to the need for stronger cybersecurity measures as well as more robust training to ensure employees don’t inadvertently open the door to bad actors.