|  Updated: 

Are cyber attacks about to become the norm for British retailers?

By: and

UK fintechs are leaving themselves exposed to cyber attack risks.

In the last month, cyber attacks have gone from a destructive but uncommon issue to the top of most Brit’s news feeds. 

Marks and Spencer’s, Co-op, Harrods – plus the international Dior and Coinbase – have all been the target of attacks in the last months, with more unsuccessful or smaller attacks likely to have gone under the radar. 

Retailers in particular have been targeted, but what seems to be the connecting thread is data-heavy firms with insecure legacy systems.

The goal of retail advertising has long been to hyper-personalise advertising, something which has been brought tantalisingly close by data tracking and large-language AI models.

Retailers collect and process millions of personal records like names, addresses, payment details, shopping habits, making them a lucrative target for cyber criminals.

“[Companies have] the data not from just your interactions with that particular retailer, but numerous data feeds – be it from social media or from other websites that you’ve interacted with, and can give you something that’s very tailored to what you want,” Asam Malik, head of digital & risk consulting at Forvis Mazars, said. 

This gives them a tremendous amount of valuable data – all locked into systems with below-par security, according to Simon Pamplin, CTO of Certes

Pamplin explained that many current cyber strategies are designed to defend the network, not the data. 

“Today’s attackers aren’t just locking systems, they’re extracting data. If we focus only on keeping them out, we’re missing the point,” Pamplin said. 

This is just the start 

The recent cyber attacks on major UK retailers are unlikely to be the last, and in many ways, they’re a mere glimpse of what’s to come.

Decades of under-investment in cyber protection, combined with an expansion in the amount of data that firms hold and process, has created a vault of information with a much lower level of security than, say, a bank. 

“Retailers on tight margins have historically under invested in comprehensive cyber security”, said Professor Feng Li of Bayes Business School. “As they’ve layered digital systems on top of legacy infrastructure, they’ve widened the attack surface”.

Li warned: “Until the retail sector treats cyber security as a strategic investment – not just a compliance box – breaches will keep happening”.

Current regulations, he says, don’t go far enough to force meaningful change. The growing dependence on third party digital services adds yet more weak points, making many firms increasingly exposed.

In the race for convenience, scale and speed, retailers have too often under-invested in resilience.

Meanwhile, well-organised cyber groups, like the resurgent Scattered Spider, are exploiting the cracks.

These are not lone wolf hackers, they are sophisticated operations deploying ransomware, phishing campaigns, and advanced social engineering techniques with ruthless efficiency.

Experts agree that even the best security defences can’t prevent every breach. That’s why robust, rehearsed incident response plans, complete with clear roles and recovery strategies, are no longer optional.

The future of cyber security will hinge on vigilance, not just tools.

“Cyber security must become a fundamental business priority”, said Google threat intelligence’s John Hultiquist, warning that retail will remain a top target.

High costs and long recoveries

M&S has now confirmed hackers accessed customer contact information in a breach that forced its online clothing platform offline for weeks, at a cost of over £43m a week.

Co-op, meanwhile, had to pause parts of its supply chain to contain the damage.

Legalaid has seen 2.1m records accessed, with data on criminal records, national insurance numbers and financial details going as far back as 2010.

The cost for both consumers and companies is clear: customers are at risk of phishing emails attempting to steal even more sensitive information, while companies face an erosion of customer trust, lost profit and high insurance premiums. 

The attack on Marks and Spencer wiped off over £1bn from its market cap and cost it over £60m in lost profit, according to analysts. 

“Retailers operate in such high-pressure, low-margin environments, where sustained downtimes can have a disproportionate impact on customer retention and revenue,” Fastly’s information security officer Marshall Erwin said.

Marks and Spencer’s boss Stuart Machine took a £1.06m pay cut due to his reliance on a performance share plan and deferred bonus scheme. 

But that’s not the only issue: Retailers are increasingly being drawn into PR battles, with the perpetrators of the attacks “contacting journalists to take advantage of the publicity their actions have generated”, Jo Joyce, partner at global law firm Taylor Wessing’s cyber team, said.

Cyber experts have also warned on the effects of eroded consumer trust after a cyber attack, particularly with regards to payments data.

“There is a major risk that shoppers lose trust in the brand,”  AJ Bell analyst Dan Coatsworth said.

Insurance premiums, too, are set to rocket for both the affected companies and for the wider sector. 

“This disruptive attack – and any resulting payout – will be a major data point used by insurers in future underwritings,” Adam Casey, Director of Cybersecurity & CISO at Qodea, said.

“As non-payment of ransoms becomes a more common policy as well, insurers are going to see bigger costs from breach recovery and business interruption. All this will combine to push premiums up.”

AI: Friend or foe?

One of the reasons the number of attacks has now stepped up is the massive expansion in the quality of artificial intelligence, which now plays both sides of the cyber security arms race.

According to Cisco’s 2025 cyber security readiness index, while 92 per cent of UK firms use AI to detect or respond to threats, 78 per cent have also suffered AI-related breaches.

“AI is a force multiplier – for defenders and attackers,” Martin Lee, EMEA lead at Cisco Talos, told City AM. “The bad guys are organised, they have tools, and they have a business model”.

He notes that many attackers are now using generative AI to craft more convincing phishing emails, automate intrusion attempts, and even mimic employee communications.

AI has also made it easier to exploit what’s known as ‘shadow AI’, which is the employee use of unapproved tools that lack proper security.

“People love shiny new tech and move faster than policy”, Lee warned. “We’re seeing confidential data being pumped into public models without any oversight”.

UK minister Pat McFadden recently declassified an intelligence report warning that AI will increase both the frequency and severity of cyber attacks.

Speaking at CyberUK 2025, he confirmed that new legislation, under the cyber security and resilience bill, will aim to give government powers to force higher standards across regulated sectors.

But Cody Barrow, cyber security lead at Ekco, said the private sector must step up too: “Faster detection, smarter automation and security built in from day one must become the standard – not the exception”.

Subscribe

Subscribe to the City AM newsletter to have our top stories delivered directly to your inbox.

Subscribe
By signing up to our newsletters you agree to the Terms and Conditions and Privacy Policy.