Skip to content
City PM
  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
  • DE
  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
  • DE
Monday 02 June 2025 4:32 pm  |  Updated:  Monday 02 June 2025 4:33 pm

Gone phishing: the rise of retail cyber crime in three charts

By: Saskia Koopman and Amber Murray

Add as a preferred source on Google
Digital-first players Chase and Monzo confirmed they have never used them, while Starling has phased them out of Google Pay.

In the past month alone, cyber attacks have gone from occasional headlines to near-daily national news fixtures.

Marks and Spencer’s, Co-op, Harrods – along with international names like Dior and Coinbase – have all recently fallen victim to cyber incidents.

Retailers in particular have found themselves in the cross hairs, and while not every incident has made headlines, it is clear that retail crime is surging at unprecedented speed – with the retail sector as its prime target.

The sector has suffered the twin effects of high investment in cyber infrastructure used to hook customers and under-investment in cyber security.

“The barriers to entry for cyber criminals are very low,” LEK partner Jan Schneiderbanger said. “Retailers are a high-risk group.”

Retail under attack

At the heart of this crisis is data – personal data. Retailers have long sought to personalise advertising and customer experiences. In tailoring these buying experiences, they have amassed huge troves of sensitive information: Names, payment details, even shopping habits.

This data goldmine, often enclosed within outdated or insufficiently secured systems, has become irresistible for cyber criminals.

According to data from the Information Commissioners Office (ICO), phishing and ransomware attacks have climbed significantly across all sectors since 2019.

However, the retail and manufacturing sector has suffered one of the most dramatic rises of any industry tracked.

In 2019, 94 attacks were reported in this sector. Fast forward to 2024 and that number had risen to 516 attacks.

From 2022, retail arcs sharply upward, overtaking every other industry by 2024.

The red, average line follows a similar, albeit flatter trend – reinforcing that while cyber crime is rising everywhere, retail is bearing the brunt.

Two post-pandemic shifts accelerated the rise of retail cyber crime: The move away from cash towards plastic and the push for personalised advertising, which requires high levels of customers’ data.

Ransomware’s evolution

The 2025 Ransomware Report by cybersecurity firm Delinea, shared exclusively with City PM, offers deeper context and confirms that attackers are becoming more strategic and destructive.

The report found that 69 per cent of organisations surveyed have experienced a ransomware breach, and over a quarter have been hit more than once.

Alarmingly, 60 per cent of these attacks now involve data extortion, meaning the theft and threat of publishing sensitive information.

And yet, only 33 per cent of businesses have adopted effective access controls like least privilege policies, leaving dangerous gaps in cyber defences.

These vulnerabilities are being ruthlessly exploited by sophisticated criminal groups using AI-driven attacks, deepfake social engineering, and compromised credentials as a primary access point.

As AI tools advance, threat actors are leveraging them not just to break into systems, but to evade detection, automate target selection, and amplify the chaos they leave behind.

Read more

M&S to face shareholder grilling over cyber attack recovery

Marks and Spencer was one of three UK retailers to be targeted

Experts have pointed to a combination of high value data, outdated IT infrastructure, and a history of under investment in cyber security as key issues.

“Retailers on tight margins have historically underinvested in comprehensive cyber security,” says Professor Feng Li of Bayes Business School.

“As they’ve layered digital systems on top of legacy infrastructure, they’ve widened the attack surface.”

In practice, this means that attackers face less resistance when infiltrating retail systems, and more potential reward.

Cyber gangs like Scattered Spider, who were reportedly behind the M&S breach are increasingly targeting retailers with tailored phishing and ransomware campaigns, often using stolen credentials and insider information to move quickly and quietly through systems.

The high level of staff churn in retail only exacerbates the problem, according to Schneiderbanger.

“Accounts and credentials are [often] created faster than they are removed [and] helpdesks are often not able to scale their staffing in-line with the increased volume of activity (for example for password reset calls) during seasonal peaks which increases vulnerability,” he said.

M&S share price tumbles after attack

The financial consequences of these attacks are also becoming more visible.

Following its recent cyber incident, supermarket giant Marks and Spencer’s share price dropped sharply, falling from around 405p in mid-April before the attack, to just 345p by early May – an almost 15 per cent decline in less than a month.

The timeline shows a stark correlation between the disclosure of the attack and investor reaction, proving that cyber security is no longer solely a technical issue, but a boardroom one too.

The modest recovery in late May reflects partial restoration, despite remaining damage to consumer confidence.

There has been more than just market damage, too: M&S has estimated the hit to its operating profit at £300m.

Analysts have also warned of reputational damage and a loss of consumer trust, which may take years to heal.

A strategic reset needed

The Delinea report underscores the chaos ransomware brings.

Around 75 per cent of victims take up to two weeks to recover, and less than 1 per cent are still struggling after a month, but these outliers can suffer devastating consequences.

In June 2023, KNP Logistics collapsed after a ransomware breach, resulting in 730 lost jobs.

Just a year later, a similar attack on NHS supplier Synnovis led to thousands of cancelled procedures and a blood donation emergency in London.

Correction: This article was originally published with a mistaken interpretation of ICO’s data set. The article has since been updated to reflect the lower number of attacks.

Read more

Jaguar Land Rover eyes cost-cutting and wealthy buyers in cyber attack recovery

JLR logo prominently displayed in an automotive business setting, highlighting the companys brand presence and identity

Share this article

  • Facebook
  • X
  • LinkedIn
  • WhatsApp
  • Email

Similarly tagged content:

Sections

  • News

Categories

  • Retail
  • Business
  • Tech

People & Organisations

  • Co-op
  • Consumer confidence
  • cyber attack
  • harrods
  • ICO
  • Information Commissioner's Office
  • Marks and Spencer
  • uk retail

Trending Articles

  • Billionaire Easyjet founder in line for £800m payday from takeover

  • Pension pressure to help swell UK debt to three times size of economy

  • As it happened: FTSE 100 slump as oil soars; Trump says Iran will be ‘hit hard’ tonight

  • Construction sector cuts jobs again as house building slumps

  • Everyman to open at Elephant & Castle as £500m regeneration gains pace

More from City PM

  • M&S to face shareholder grilling over cyber attack recovery

    Retail
    Marks and Spencer was one of three UK retailers to be targeted
  • Jaguar Land Rover eyes cost-cutting and wealthy buyers in cyber attack recovery

    Retail
    JLR logo prominently displayed in an automotive business setting, highlighting the companys brand presence and identity
  • M&S chair: Tax and employment costs holding back Britain

    Retail
    Archie Norman, business leader, speaking at a corporate event wearing a suit and tie, engaging with the audience.
  • Gambit Cyber Launches Vizier AI – An Autonomous Security Intelligence Workspace for Continuous Exposure Management

    Business Wire
  • ‘Act now’: AI models capable of attacks on governments months away, Five Eyes warn

    Tech
    GettyImages 158774123 showcases a relevant business meeting scene, highlighting diverse professionals engaged in discussion.
  • Yubico Joins European Cyber Security Organisation (ECSO)

    Business Wire
  • TG Jones owner Modella puts jobs at risk in shoe retailer overhaul

    Retail
    High streets emptied out as retail sales fell in May.
  • The Debate: Should CEOs be held personally accountable for cyberattacks?

    Opinion
    Evil-looking keyboard symbolizing cybersecurity threats and hacking risks in a digital landscape.

City PM — European politics, business and analysis.

Europe

  • Germany
  • France
  • Europe
  • UK & Ireland

Topics

  • Business
  • Markets
  • AI
  • Technology
  • Opinion
  • Energy

More

  • Politics
  • Economics
  • Fintech
  • Legal
  • Sport
  • Life

Company

  • About City PM
  • Editorial Policy
  • Corrections
  • Contact
  • Terms of Use
  • Privacy Policy
  • Cookie Policy
© 2026 City PM · Published by CityPM Media, Bahnhofstrasse 65, 8001 Zürich, Switzerland
About · Editorial Policy · Corrections · Contact · Privacy