Harrods, Marks & Spencer, Adidas and more — why are retailers facing this wave of cyberattacks in recent months? A few days after Victoria’s Secret shut down its website due to a cyberattack, Cartier and The North Face revealed the loss of customer data in their own attacks. 

James Maude, Field CTO at BeyondTrust, states, “This is yet another reminder that no brand is too big or too luxurious to be breached.”

While retailers may be targeted, Maude points out that malicious actors may not be after just these organizations. “The retailers themselves are not always the ultimate target and these may well represent supply chain attacks on high net worth individuals. The very nature of their client base makes them a valuable target for reconnaissance and information harvesting which may be used in further highly targeted and sophisticated social engineering attacks. In turn the luxury retailers are often smaller operations focused on brand and quality rather than IT so may be more similar to much smaller organizations in terms of their security maturity.” 

But why are retailers such a target in recent months? In both the United States and the United Kingdom, retail companies are facing notable cyberattacks. Maude believes that the emphasis on user-friendly features can weaken retailers’ website security. 

“In general, the retail sector can find themselves caught in tradeoffs where their focus is on making it as easy as possible to buy an item not making it as secure as possible. Nobody wants to prompt a customer to pass an MFA challenge that might make them think twice about an impulse purchase. Similarly, rewards points and loyalty schemes have become a frequent target for attack as attackers launch credential stuffing campaigns fueled by other breaches to access and cash out rewards and points into untraceable gift cards or goods.”

Below, more security experts share their insights on the cyber risks the retail sector is facing — and how retailers can defend against these threats. 

Why Are Cyberattacks Targeting Retail?

Ben Hutchison, Associate Principal Consultant at Black Duck:

Given the recent increase in cybersecurity attacks and incidents affecting retailers in both the U.S. and U.K., it’s unfortunate that the sector may be seen as a prime target, experiencing a surge in attack frequency and variety. This could be due to new attackers perceiving the sector as vulnerable, while previous attackers may be intensifying their efforts to maximize their gains or cause damage, depending on their motivations.

It’s also noteworthy that a diverse range of attack techniques have been used in recent compromises, suggesting the possibility of additional actors being involved. However, it could also mean that some targets were simply more susceptible to different methods in the attackers’ toolkit. Despite the variety of attacks, there are some common threads, such as the compromise of third-party services and supply chain dependencies, which served as entry points into the affected organizations.

This pattern is evident in recent incidents involving Adidas and MainStreet, based on previous reports, while other high-profile cases appear to have exploited vulnerabilities in the impacted services directly.

All of this underscores the importance for organizations to enhance their cybersecurity and digital resilience. This should not only focus on the technical aspects of their own systems but also include strategies to manage and mitigate risks within their broader supply chain and third-party relationships.

Agnidipta Sarkar, Chief Evangelist at ColorTokens:

Although the Cartier attack originated from a breach of an IT services provider, I believe that these recent cyberattacks are part of a broader trend of cyber threats targeting retailers and fashion brands, called Operation Grand Tour, which includes several other high-profile brands in the past few months. 

These leading brands not only have personal data of High Net Worth Individuals (HNI) and Ultra High Net Worth Individuals (UHNI), which is ideal for phishing, blackmail, or identity theft, they also have sensitive internal documents, such as design blueprints, financials, and supply chain details which can be sold to competitors or counterfeiters. However, the biggest impact is the reputational damage that could happen. 

What business and security leaders need to contemplate is the indication that cyberattacks are increasing, despite the best in class security programs. It is time they adopted zero trust mechanisms to stop lateral movement, using best-in-class microsegmentation tools immediately, especially those that are hyper focused on stopping the proliferation of breaches. Boards should be asking how the security leaders plan to ensure digital operational resilience by using breach ready cyber defense.

Ms. Nivedita Murthy, Senior Staff Consultant at Black Duck:

Retailers are always the biggest targets when it comes to gathering datasets of customer information for further attacks, especially luxury retailers who would cater to high-end clients. While in these cases sensitive information, such as passwords or credit card information, was not stolen, these breaches seem to be the first step towards phishing customers with curated information about their purchase history making them more susceptible to falling victim to fraud. Companies should take protecting customer data their highest priority as even basic information such as names, date of birth, email addresses and purchase history can be used to defrauding unsuspecting customers using the company’s name.

Haviv Rosh, Chief Technology Officer at Pathlock:

One lesson companies should learn is that MFA is no longer a “nice-to-have” option — it is a necessity, especially for critical applications. This is particularly evident given that one of the incidents resulted from a successful credential stuffing attack. 

At the same time, in the face of increasingly widespread and sophisticated threats, security leaders must go beyond just preventive measures. They need to implement comprehensive strategies that address every stage of the cybersecurity incident lifecycle — especially those that allow them to flag malicious activity at an early stage and prevent attackers from moving laterally across a company’s network.  

This includes identifying and prioritizing the protection of their most critical data; network segmentation; immutable backups; and leveraging infrastructure-as-code to rapidly redeploy environments. Incorporating serverless or container-based architectures for modular failover, along with privileged access governance that includes real-time auditing and drift detection, are also essential components. Finally, a critical — yet often overlooked — element of this approach is continuously testing the organization’s incident response plan under real-world conditions.