Cybercriminals are zeroing in on retailers with increasingly sophisticated attacks designed to cause maximum disruption—and force multimillion-dollar payouts.
“They go for places where disruption causes maximum chaos,” said Tony Anscombe, Chief Security Evangelist with global cybersecurity company ESET, who is based in the UK and works closely with North American clients.
With ransomware attacks like the recent $300-million hit on Marks & Spencer, and breaches involving major brands like Victoria’s Secret and Cartier, Anscombe warns that “a cyber attacker is looking at who’s most likely to pay.”
The appeal lies in the data-rich environments retailers operate in, and their dependence on online operations and distribution—prime targets for extortion. Despite many adopting frameworks like NIST (National Institute of Standards and Technology) and investing in cyber insurance, “human error” and third-party vulnerabilities remain open doors to attackers.
As Anscombe puts it, “You grow or you die,” and in retail’s digital battlefield, that growth depends on proactive security, not complacency.
“We’re a long-standing cybersecurity company. We’ve been in the market for over 30 years,” he said. “What’s unusual is that we’re still privately owned—no outside investment, no private equity, and still run by our founders.”
“In Europe, we’re actually the largest provider of business cybersecurity products. We started out providing what used to be called antivirus software. Today, we’re more focused on advanced threat detection and response—what’s known as EDR and MDR. That includes both managed and on-premise solutions, depending on what our customers need.”
The company also distinguishes itself through its focus on research.
“If you follow the ESET brand, you’ll see we publish a lot of research . . . We even have a dedicated site—WeLiveSecurity.com—for research publications. That’s separate from our main product site, eset.com,” said Anscombe. “Our research often covers areas that go beyond our products, like critical infrastructure and operational technology.”
When it comes to retail, cybercriminals are becoming more aggressive and strategic in their attacks.
“They go for places where disruption causes maximum chaos,” said Anscombe. “If they get into the right part of the business and disrupt it, it stops operations. And of course, most retailers have a lot of rich personal data on their shoppers as well.”
He pointed to the Marks & Spencer attack around Easter this year. “It’s reported to have cost them about $300 million in profits.”
That kind of financial fallout makes retailers tempting ransomware targets.
“A cyber attacker is looking at who’s most likely to pay my ransomware demand,” said Anscombe. “If you can find somebody that has a high disruption cost—like taking down an online store or halting distribution—then you are more likely to get paid.”
Retailers are also more likely to carry cyber risk insurance, which increases the chance of a payout when insurers get involved.
While large retailers often follow cybersecurity frameworks such as those from NIST, they’re not always enough.
“Companies have a hybrid of those,” said Anscombe. “For example, in Canada, you’ve got privacy legislation. A company may well have a hybrid of a security framework, compliance with regulation, and industry-specific requirements. If a retailer offers financial services like credit cards, they might also have to comply with financial regulation.”
But even the best-laid plans have their weak points.
“There are many times it’s unfortunately human error,” said Anscombe. “We’re the weak point. Unfortunately for most organizations, human error is often the place. Or third-party—that’s the other big inroad. If you can breach a smaller company that does business with a bigger company, potentially you might be able to get to the bigger company.”
Anscombe said fashion and luxury brands are especially vulnerable.
“If you look at the breaches recently—you’ve got Victoria’s Secret, Cartier—some really prestigious brands have been hit,” he noted. “The media will pick up on a breach of a significant brand. If someone like Ace Hardware got hit in the U.S., it probably wouldn’t make much of a splash. But a brand like Cartier? That is significant news.”
“Companies don’t like bad press because they lose trust. It affects their stock price. I think Whole Foods had an incident earlier. As I recall, they lost 8% of their stock price (initially).”
And with public companies required to disclose breaches through SEC filings, information becomes public fast.
“That makes them, unfortunately, very much in the frame for cybercriminals. They’re going to want to minimize disruption, which increases the likelihood they’ll pay a ransomware demand.”
So what can retailers do to protect themselves?
“Firstly, they should audit what they’ve got and understand where their weak points are,” said Anscombe. “You often find in companies that round the corner will be some remote access server that still doesn’t use two-factor authentication.”
“Everything should be known and secure—MFA (Multi-Factor Authentication), access controls. When was the last time they tested their restore, not just their backup? If you’ve never tested that you can restore it, you might have problems.”
Anscombe recommends more frequent employee training, not just the annual checkbox for insurance.
“Even a 10-minute snapshot version every three months that refreshes what phishing links look like, etc., can make a big difference.”
He also emphasized the importance of keeping software up to date and using advanced tools like EDR (endpoint detection and response).
“Cyber attacks don’t happen the way you and I think of as viruses anymore,” he explained. “Somebody gets in, routes around for a bit, and tries to stay undetected. EDR picks up anomalies in traffic—like someone outside communicating with the inside in an unusual way.”
In fact, that’s how Whole Foods reportedly detected their recent breach.
“They picked up weird traffic—an anomaly. So as a precaution, they shut down their systems.”
That proactive approach is key in an increasingly risky digital environment for retailers.
Related Retail Insider stories:
Is the woman in the stock photo meant to be the retailer or the cybercriminal