UK retailers have experienced cyber attacks en mass in recent years, but especially in first half of 2025, affecting brands of all shapes and sizes. From WHSmith and FatFace to Victoria’s Secret and Adidas to Marks & Spencer, Harrods, and Co-op, news has told us just how costly these attacks can be, and how they can disrupt. And the trend has no signs of slowing down.
The North Face has been the latest major retailer to hit the headlines this week, with Cartier also experienced a cyber attack. The North Face’s UK and EU websites were taken offline following a systems breach that was detected in April, with customers urged not to log in as investigations continue. In a similar vein, Cartier recently confirmed “an unauthorised party gained temporary access to [their] system” that impacted its operations, joining a growing list of global retailers dealing with the fallout of modern cyber crime.
With online orders paused, employee data exposed, and reputations at risk, cyber threats have become a business-critical issue for retail leaders.
But don't be fooled, it's not just large-scale retailers that are targets and have been hit by cyber attacks; smaller businesses are also massively at risk and a cyber attack is often far more damaging for SMEs than larger organisations.
Did you know that in the last 12 months 48% of small businesses in the UK reported at least one breach or attack?
In response, the UK Government has announced new legislation designed to strengthen national cyber resilience. Introduced during the King's Speech 2024, the upcoming Cyber Security and Resilience Bill will mark a shift in how businesses of all sizes - retailers included - are expected to manage cyber risks.
Understanding what this legislation means and how to prepare will be essential for retailers who want to remain secure, trusted, and compliant in a fast-evolving threat landscape.
Retailers have become increasingly attractive targets for cyber criminals. They handle both personal and financial data, operate supply chains, and often depend on IT providers and cloud services to keep stores and websites running. This creates a wide surface area for attackers to exploit.
Recent high-profile breaches have illustrated the impact:
These aren’t isolated cases – they represent a broader trend. The UK’s 2024 Cyber Security Breaches Survey found that over half of businesses experienced some form of cyber attack in the last year. With attacks becoming more sophisticated and frequent, building resilience is no longer optional.
It's Not Just Big Businesses at Risk
While high-profile brands make the headlines, small and medium-sized businesses are targeted just as often – and are often less prepared.
According to the 2024 Cyber Security Breaches Survey, 48% of small businesses in the UK identified at least one breach or attack in the past 12 months; and in Greater Manchester alone, where retail SMEs form a major part of the regional economy, the GM Cyber Foundry estimates that fewer than 30% of SMEs have a dedicated cyber security plan in place. For every large-scale breach in the news, many more go unreported in smaller businesses, some of which face serious financial and reputational consequences.
The reality is clear: no retailer is too small to be targeted, and local businesses in the North West should take action now to avoid becoming the next statistic.
The upcoming legislation is part of the Government’s effort to modernise how cyber risks are regulated across the UK economy. While it will initially focus on companies delivering “essential digital services”, it’s expected to cover a broader range of sectors than previous laws. That includes areas of retail with digital operations, ecommerce platforms, and the IT providers that support them.
Key features of the proposed Bill include:
In short, even if your retail business isn’t directly regulated under the new law, it may still be affected – especially if your technology suppliers are brought into scope.
While details of the bill are still being finalised, the direction of travel is clear: retailers are being encouraged to move from reactive cyber security to proactive, strategic risk management. Here are several ways to start preparing.
Cyber security is no longer just an IT issue – it’s a leadership priority. Boards and senior executives should have visibility into cyber risks and play an active role in reviewing preparedness. This includes setting policy direction, approving budgets for security, and asking informed questions about supply chain risks.
Investing in cyber security infrastructure (such as firewalls, endpoint protection, patch management, and monitoring) can help defend against many common threats. Retailers should also consider conducting penetration tests and simulations to uncover weaknesses before attackers do.
Retail businesses often rely on a network of vendors, logistics partners, payment processors, and IT service providers. Each of these relationships can introduce risk. Retailers can improve resilience by:
Being clear on who does what in a crisis – and how quickly they will act – can make a big difference.
In light of the proposed reporting requirements, response plans should be updated to ensure key personnel know how to escalate, contain, and report incidents promptly. Running through simulated cyber scenarios (known as tabletop exercises) can help refine plans and improve response time.
Many attacks start with phishing emails or social engineering. Retail staff – from the back office to the shop floor – should be trained to recognise common threats and understand their role in protecting the business. Regular awareness campaigns can help create a culture of cyber security.
While legislation will introduce new obligations, the wider opportunity for retailers lies in building long-term resilience. Being prepared for cyber threats can reduce operational disruption, build customer trust, and position a business as a responsible brand.
Forward-thinking retailers are using this moment not just to tick boxes, but to reassess how digital risk is handled across the business. That might mean investing in cyber insurance, adopting industry frameworks (such as Cyber Essentials or ISO 27001), or embedding cyber security into new digital projects from the start.
Cyber legislation is evolving to meet a new reality: digital systems are now critical to national infrastructure – and to retail operations. The upcoming Cyber Security and Resilience Bill is a clear signal that the UK Government expects businesses to raise their game.
Retailers don’t need to wait for the law to change. By understanding the landscape now and taking early action, they can reduce risk, protect their customers and staff, and remain confident in the face of growing cyber threats.
If you’d like a simple starting point, ask yourself: “If a cyber attack hit tomorrow, how prepared would we be?” The steps you take today could make all the difference tomorrow.