Retail data threats peak in Q2, as UK sector grapples with cyber spree
New analysis of cyber threat data suggests a clear seasonal pattern is emerging in retail-focused attacks, with the second quarter of the year consistently seeing a spike in malicious activity targeting retailers across the UK.
The findings, based on Abnormal AI’s data collected between January 2023 and June 2025, indicate that threat actors are increasingly aligning their campaigns with periods of heightened retail activity, when businesses are most vulnerable due to increased transaction volumes, temporary staffing, and supply chain complexity.
For retailers already contending with economic pressures and slim margins, the ability to anticipate these surges may offer a rare opportunity to shift from reactive to preventative security strategies.
Renewed cyber threats
The findings come as the UK retail sector confronts a series of high-profile cyber incidents.
Co-op confirmed yesterday that its membership platform had been compromised in a cyberattack affecting up to 6.5 million users.
Shirine Khoury-Haq, the group’s chief executive, described the breach as “devastating”, adding that the retailer remains in close communication with regulators and law enforcement.
Separately, Marks & Spencer chair Archie Norman told MPs that a cyberattack in April had caused a significant disruption, describing the £300m impact as “traumatic.”
The firm’s recovery is ongoing, with full restoration of systems not expected until August.
Earlier in June, the National Crime Agency arrested four individuals in connection with cyberattacks targeting major UK retailers, including M&S, Harrods, and Co-op.
Those detained include three teenagers and a 20-year-old woman suspected of involvement in an organised crime group that used ransomware to extract data and disrupt operations.
Seasonal trends in threat activity
The data shows a clear Q2 peak in email-based cyberattacks across the retail sector in both the UK and US.
In the UK, retailers averaged nearly 492 attacks per 1,000 mailboxes during the second quarter, compared with 445 in Q4 – a 10.5 per cent increase.
The seasonal surge aligns with key retail sales periods such as spring promotions and the lead up to events like Mother’s Day and Father’s Day.
During these times, retailers typically onboard temporary staff and increase digital communication with vendors and customers – conditions that threat actors appear to exploit.
Despite the regional disparity in volume, the similarity in timing suggests that cybercriminals are leveraging global retail cycles to orchestrate their campaigns.
Phishing accounted for the majority of advanced email threats, comprising nearly two thirds of attacks in the US and just over half in the UK.
While phishing activity followed the broader Q2 peak, business email compromise (BEC) incidents followed a different trend – consistently peaking in Q1 across both markets.
In the UK, BEC volumes dropped by 29 per cent from Q1 to Q4, while the US saw a 17 per cent decline.
Analysts suggest the Q1 spike may coincide with financial year beginnings, vendor negotiations, and budgeting cycles—all periods that present opportunities for impersonation or fraud.
UK cyber strategy under review
The findings come amid wider discussion about the UK’s readiness to defend against sophisticated cyber threats.
M&S chair Archie Norman told lawmakers last week that the UK remains under-resourced compared to the US and called for greater investment in national cybersecurity infrastructure.
The government recently designated cybersecurity a “frontier industry” in its industrial strategy, alongside AI and quantum computing.
A Cyber Growth Action Plan is expected later this summer, aimed at scaling domestic capabilities and supporting regional cyber hubs in areas like Manchester and Cheltenham.
Industry leaders have welcomed the emphasis on cyber resilience. Mike Maddison, chief executive of NCC Group, said the strategy “recognises that you cannot have sustainable economic growth without strong cyber resilience,” and positions cyber as both a national security priority and a commercial growth driver.