I remember conversations with loss prevention directors in the 1980s and throughout the 90s where stories were shared of bizarre methods for stealing merchandise, gaming POS systems, insider threats and daring flashmob shoplifting attacks on high-end jewelry and electronic stores.
For decades, retail crime was a brick-and-mortar challenge—shoplifting, internal theft, smash-and-grabs—tackled with cameras, EAS tags, guards, and locked cases. Shrink—inventory loss—was measured by what could be seen or carried out the door, with success defined by catching thieves or lowering annual shrinkage.
Today, as e-commerce integration expands attack surfaces, the battlefield has moved online. Cybercriminals target loyalty programs, payment systems, backend databases, and vendor portals. Loss prevention directors now sit in boardrooms and SOCs, working with cybersecurity teams on fraud detection, identity and access management, and third-party risk. This shift demands new skills, technology investment, and a move from reactive tactics to proactive, digital-first risk management.
The retail sector is once again under siege as cybercriminals escalate their efforts to exploit vulnerabilities in some of the world’s most prominent brands. In recent weeks, major retailers such as Victoria’s Secret and Adidas have joined the growing list of victims affected by sophisticated cyberattacks. These breaches, linked to compromised third-party vendors, underscore a sobering reality: the global retail industry is facing an intensifying cybersecurity crisis, fueled by increasingly complex digital ecosystems and persistent human error.
Google’s Threat Analysis Group recently issued a stark warning that the same threat actors behind a series of cyberattacks on major UK retailers, including Marks & Spencer and Co-op, are now targeting U.S.-based retailers. These attacks, which compromised customer data, disrupted supply chains, and damaged consumer trust, have become part of a broader trend of targeted retail cybercrime. What’s particularly alarming is the root cause: mismanaged third-party access and identity security lapses.
Rob Ainscough, Chief Identity Security Advisor at Silverfort and former Head of IAM at Tesco, emphasizes that this latest wave of attacks should serve as a wake-up call. “Retailers must understand that identity is the new perimeter,” he says. “When a vendor makes a mistake, such as misconfiguring access or falling victim to phishing, it can open the door to a full-scale breach. Organizations need to move quickly to adopt continuous authentication, zero trust principles, and automated identity controls.”
Historically, retailers have been favored targets due to their large volumes of personal and financial data, as well as often fragmented IT environments. According to IBM’s 2024 Cost of a Data Breach Report, the average cost of a retail breach now exceeds $3.7 million, a figure that has steadily climbed over the past five years. Meanwhile, Verizon’s 2024 Data Breach Investigations Report notes that over 20% of retail breaches involved third-party service providers.
“Victoria’s Secret has already warned that its cybersecurity incident could take a while to resolve. Having assisted numerous organizations globally, we understand that the impact of a cyberattack can be complex, and the recovery process is both complex and time-consuming. By communicating clearly with customers and broader stakeholders, Victoria’s Secret has demonstrated that it is handling the incident properly, being transparent and considerate,” explains Tim Rawlins, senior adviser and director of Security at the consulting firm, NCC Group. “This is the latest retail business to be affected by a security incident in recent weeks. 'Consumer discretionary', the category by which we track attacks, including the retail sector, was the second-most-targeted industry for ransomware attacks globally in April 2025. It’s a sector where disruption hits fast and hard, and attackers know it.”
The trend reflects the sector’s increasing digital complexity, as cloud migration, e-commerce integration, and the expansion of sprawling vendor networks have grown the attack surface. Despite heavy investments in cybersecurity tools, retailers often fall short in identity and access management, leaving them vulnerable to increasingly targeted, identity-based threats.
According to Jordan Avnaim, CISO at Entrust; current events are ultimately the biggest clickbait for social engineering attacks.
“Unsurprisingly, we’re hearing about threat actors utilizing politics and the global economy as the impetus for their successful attacks. In this case, the topic of tariffs has been especially relevant and sensitive for U.S.-based retailers, so it makes sense that we’re seeing these attacks begin to hit,” says Avnaim. “To effectively fight back, organizations should regularly discuss their security measures and ongoing investments in those measures with their boards. Incidents like this aren’t a one-time occurrence. As such, they require ongoing attention and commitment to keep security top of mind, even at the highest level of an organization.”
While physical threats continue to define what retail theft and crime mean to most of the general public, recent breaches have made clear that cybersecurity in retail is no longer just a technical issue; it’s a business continuity imperative. With threat actors evolving faster than many defenses, the sector must respond with equal urgency, focusing on proactive identity protection, continuous monitoring, and zero-trust architectures.
