In April, retail giant Marks & Spencer (M&S) was hit by a devastating ransomware cyber-attack. The incident impacted the firm across multiple channels, affecting in-store sales and resulting in empty shelves across M&S’ 1,400-strong estate.

The ransomware cyber-assault also took M&S’ website down, with the retailer only getting online sales back up and running in mid-June, six weeks after the initial attack.

Not long after the M&S incident, another UK retailer, the Co-op was hit by an attack that disrupted operations. Soon after that, high-end retailer Harrods admitted it had suffered a breach.

Over the last few weeks, Adidas and Dior have also reported being the victims of cyber-attacks.

So, why are adversaries suddenly so interested in retailers, and what should the industry expect following this surge of attacks during the first six months of 2025?

Retail targets

Vast estates of disparate, legacy technology combined with large amounts of consumer data make retailers an attractive target for cyber-criminals. The data retailers collect – such as names, addresses and payment information – makes them prime targets for data and ransom demands, says Kevin Modiri, partner and solicitor at law firm Nelsons.

Another factor making retailers vulnerable is their use of “just-in-time” inventory systems, and their dependence on supply chains to keep shelves stocked, says Adam Harrison, managing director in the cybersecurity practice at FTI Consulting.

Meanwhile economic pressures have driven many retailers to accelerate digital transformation, often without proportionate investment in security. This has created a vast attack surface to manage, Harrison says. “Depending on the retailer, this may include distributed networks across hundreds or thousands of locations, e-commerce platforms, payment systems and loyalty card infrastructure – all of which can create vulnerabilities for cyber-criminals to exploit. “

Customer-facing mobile apps, in-store technologies such as public Wi-Fi, digital signage and internet of things (IoT) devices add to the issue, says Harrison.

Retail under siege in 2014 – and 2025?

The surge in retail cyber-attacks in 2025 echoes a trend that was last seen in 2014 – a year marked by a streak of major breaches on large retailers in the US. In most cases, point of sale (PoS) malware was at play, and this led to retailers improving their PoS terminal security, according to a Kaspersky blog.

Why are adversaries focusing on retailers again? In some cases it might be a result of the way ransomware operators work, experts say.

Well-oiled ransomware operations – where affiliates are actually “distributed teams” of attackers – will tend to focus in waves, says Jim Walter, senior threat researcher, SentinelLABS. This is happening with the DragonForce ransomware attacks that hit M&S, the Co-op and Harrods, he says.

Ransomware is so effective in retail because attackers know their victims are likely to pay up. “Their dependence on real-time systems means attackers know that any downtime can cause chaos, which can push victims towards paying up quickly,” Walter says.

In addition, because many retail systems are internet-facing and handle sensitive financial data, they are low hanging fruit for ransomware operators, says Walter. “Common initial access vectors used by groups like DragonForce – such as phishing, VPN exploits and credential stuffing – are particularly effective when retailers lack full visibility or robust segmentation across their digital infrastructure.”

Once inside, adversaries are therefore able to move laterally using common off-the-shelf tools, escalate privilege and exfiltrate data – before launching ransomware, he says.

Slow to respond

In some cases, retailers have seemed to be slow to respond to cyber-attacks. M&S experienced “prolonged disruptions”, with online services remaining unreliable weeks after the initial incident, says Holly Foxcroft, cybersecurity business partner at OneAdvanced.

A long response time and the eventual discovery of lost data in cyber investigations can sometimes be indicative of a lack of cyber maturity, says Richard Allen, cybersecurity expert, PA Consulting. However, he thinks the approach taken by those recently attacked “appears to be a measured response”.

The longer response time is likely to be the result of attackers targeting key infrastructure, which takes time to fully assess, secure and restore, Allen explains. “As retailers often have globally connected operations and interconnected systems, the recovery process needs to be meticulous.”

Harrison agrees. “Ransomware incidents are inherently complex as threat actors often cover their tracks, and the damage caused by the attack can make it difficult to fully investigate the circumstances.”

Even so, the latest retail attacks reflect an uncomfortable reality – lessons from previous incidents are not always being acted on, says Becky White, senior data protection and privacy solicitor at law firm Harper James. “After a breach, some organisations do the bare minimum to return to operational status, rather than taking the opportunity to reassess their cyber-strategy. This allows attackers to evolve, often recycling successful tactics across similar targets.”

Addressing root causes

Amid this latest spate of attacks, retailers must shore up their defences. If retailers don’t address root causes, such as insecure supply chains, poor access controls or unpatched systems, they leave the door open to further compromise, White says.

She points to the fact that many recent attacks exploit known vulnerabilities, which suggests that “while awareness may be growing, action is lagging behind”.

Education is a key factor in boosting retail security. Modiri recommends “comprehensive and consistent” staff training to improve awareness of phishing, social engineering and other common attack vectors.

Conducting frequent audits can help identify and address potential weaknesses before they are exploited and identify any risks to the business, Foxcroft says.

Retailers should also ensure they develop comprehensive incident response plans, she advises. “Having a well-defined and tested response strategy ensures quicker recovery and minimises damage in the event of a breach. The plan should be tested regularly with a number of scenarios including different areas of the business – not only the cybersecurity teams.”

Kate O'Flaherty Cybersecurity and privacy journalist