On 30th April, the Co-op also fell victim, reporting a few days later that hackers had accessed a “significant” amount of customer data. Then on 2nd May, Harrods also experienced a cyber attack, although in this instance, they managed to prevent any malicious intrusion. 

In the M&S incident, third-party service provider Tata Consultancy Services (TCS) has reportedly launched an internal investigation to determine whether it was the gateway by which the hackers gained access.

It all points to a vulnerability amongst retail businesses, despite the fact that the threat from cyber attacks has existed for many years. But why are retail businesses being targeted?

“Retailers are prime targets for cybercriminals due to the vast amounts of personal, financial, and other sensitive data they manage. For malicious actors, access to this data is like gold dust: highly valuable and potentially extremely lucrative” Marc Rivero, Lead Security Researcher in the Global Research & Analysis Team at Kaspersky, told Fortune. 

On 27th May, Adidas became the latest victim of a cyber attack when it reported that, similar to M&S, hackers had accessed customer data through a third-party service provider.

In the case of M&S, according to Vaibhav Chechani, a Mumbai-based analyst at brokerage Nirmal Bang, if the attack did originate from the Indian company, “it will definitely impact their brand image”. TCS also works as a “strategic partner” to Co-op.

Rivero commented, “As seen in the M&S attack, social engineering allows attackers to bypass sophisticated cybersecurity measures by exploiting human error. These ‘human hacking’ tactics manipulate users into clicking malicious links, disclosing sensitive information, or granting access to restricted systems”.

“Simply put, data opens doors. It enables fraud, fuels targeted phishing campaigns, and can even be leveraged to infiltrate other businesses within the supply chain. This makes retailers not just lucrative targets, but also strategically valuable within the broader digital ecosystem”. 

M&S CEO Stuart Machin confirmed this, blaming the attack on “human error” rather than a weakness in its cybersecurity measures and added that, “it is a moment in time, and we are now focused on recovery, with the aim of exiting this period a much stronger business. There is no change to our strategy and our longer-term plans to reshape M&S for growth, and if anything, the incident allows us to accelerate the pace of change as we draw a line and move on”.

Despite this optimistic outlook, Retail Technology Magazine publisher and retail expert, Miya Knights, believes that other retailers could also be targeted, believing that those most vulnerable would be “those that have a sizable business with large tier one scale turnover across many channels”.

Speaking to Fortune, she added, “Cybersecurity has been a basic requirement for as long as retailers have deployed IT and transacted online. But, just as e-commerce has become a major growth driver, safeguarding the digital systems they now rely on must become as core to their business as it is for financial services companies.”

This should be the wake-up call that the retail industry needed in order to treat these threats in the same way as financial services institutions. Actions to combat the threat appear to be happening within the industry, with one prominent retail CTO saying that he is collaborating with several other retailers, including some direct competitors, to mitigate the risk of future cyber attacks.

According to Rivero, the retail sector is under mounting pressure from cyber groups persistently probing for vulnerabilities to access large volumes of data. He said that, “Retailers must regularly reassess their cybersecurity strategies and continue to invest in robust defense mechanisms”.

“Retailers must adopt a multi-layered approach to cybersecurity, acknowledging that no single measure can provide complete protection. This approach should begin with staff education. Training employees to recognize phishing attempts and suspicious behavior is critical, with human error remaining one of the most common entry points for attackers”, he continued.

However, it’s not all the responsibility of retailers, Rivero believes that to feel more secure, consumers should take a proactive approach to their digital safety. Regularly update passwords, enable multi-factor authentication where possible, remain cautious of suspicious messages or emails, and monitor financial activity closely, “reporting any unusual behavior immediately”, adding that, “a cautious, informed approach remains the best line of defense”.

His advice to retailers using third-party service providers: “Adopt a proactive approach: regularly conducting thorough risk assessments of all vendors, enforcing strict access controls, and requiring regular security audits. Ongoing employee training is also essential – not just for non-IT staff, but also for IT teams, who are frequently targeted by social engineering tactics”.

And as he puts it, “In a landscape where cybercriminals exploit every weak link, resilience must extend beyond the organization itself to encompass the entire supply chain and all vendors”.