Held to ransom: lessons from a summer of pain
19th November, 2025 • Online
The extent of cyber-attacks on the retail sector this year means an update on the lessons learned is already overdue, especially given the level of secrecy that has surrounded the responses to many of these incidents.
A Brutal Year for European Retail Cybersecurity
2025 has proven devastating for the retail sector across the UK and Europe. High-profile retailers — including Marks & Spencer, The Co-op, Harrods, Adidas, El Corte Inglés, Tendam, Alcampo, and Decathlon — have all fallen victim to significant cyberattacks. In many cases, these attacks were not direct intrusions into the retailers’ own systems but instead entered through the digital backdoors of third-party suppliers, underscoring the fragility of the modern supply chain.
So, what are the key lessons from these many attacks?
The Supply Chain Is the Attack Surface: El Corte Inglés, Adidas, and M&S were all breached through third-party service providers.
- Treat vendors and service providers as an extension of your enterprise.
- Implement zero trust architectures that apply across your supplier ecosystem.
- Demand security certifications, regular pen testing, and visibility into their incident response capabilities.
- Maintain a centralised third-party risk registry and integrate it with your SIEM.
Social Engineering Is Outpacing Tech Defences: The Co-op, Harrods and M&S were infiltrated by the Scattered Spider group, who used voice phishing (vishing) to impersonate IT staff and gain password resets.
- Train help desks and HR teams to spot and halt social engineering attempts.
- Enforce multi-step verification for all sensitive changes (e.g. password resets, privilege escalations).
- Limit what internal data is publicly available (e.g. LinkedIn job roles).
- Rotate from “security awareness” to attack simulation and resilience training.
Retail-Specific Digital Weak Points Are Being Targeted: Retailers lost access to point-of-sale systems, fulfilment chains, online stores, and customer loyalty systems.
- Retail CISOs must map critical dependencies between digital, physical, and customer systems.
- Segment POS, fulfilment, and web commerce systems from each other.
- Implement real-time monitoring on transactional anomalies across platforms.
Visibility and Detection Gaps Are Exploited: Many retail attacks went undetected for days or weeks due to low visibility across hybrid systems.
- Invest in extended detection and response (XDR)and real-time behaviour analytics.
- Ensure logs from cloud, in-store, and vendor platforms feed into a single threat detection system.
- Use AI-based anomaly detection for spotting unusual activity in inventory systems or staff credentials.
Cyber Resilience Must Be a Business-Level Priority: Cyber Risk = Financial Risk. Marks & Spencer at one stage saw over £1bn wiped off its valuation.
- Retail CISOs must lead cross-functional resilience planning: not just IT but logistics, legal, brand, and customer experience.
- Secure off-site backups of operational data, and test recovery plans regularly.
- Simulate full-blown outages of fulfilment systems, payment gateways, and CRM platforms.
- Work closely with the CFO to quantify cyber risk in financial terms: lost revenue per hour, customer churn, and data breach penalties.