Contents:
It’s surely the biggest fear of any e-commerce site manager.
You try logging into your CRM, CMS or inventory management system one morning, only to be greeted by a ransomware note:
“Your system has been locked. Pay into this crypto wallet to release your data”.
Ecommerce and retail businesses face a range of unique threats from cybercrime.
Whether your business is exclusively digital or you combine an ecommerce presence with bricks and mortar stores, the kinds of threats you face – and the ways criminals can attack you – are complex and unpredictable.
And, as recent cyberattacks against major retailers have shown, any e-commerce business can fall victim – from major brands to SMEs.
Heimdal provides cybersecurity in the retail industry for numerous national, regional and global brands.
In this guide, you’ll learn about:
- Why the retail sector is a prime target for cyber criminals
- The types of attacks we see criminals using
- Consequences of a breach for the online retail industry
- Cybersecurity challenges for retail industry CISOs
- Ecommerce and retail cybersecurity statistics and trends
- Case studies of ecommerce data breaches
- Standards and regulations
- How to boost ecommerce and retail cybersecurity
Digital shoplifters: why the retail industry is a prime target for criminals
The retail industry is a tantalising target for cyber criminals. Retail businesses hold tons of highly personal customer data and payment card data for which they’ll try to gain unauthorized access. What is more, any disruption to websites can have huge financial consequences – meaning many ecommerce businesses are tempted to pay ransoms.
– Adam Pilton, Cybersecurity Advisor at Heimdal.
As Adam points out, cyber criminals see online shopping sites as a highly attractive target. Here are the main reasons why:
- Payment data: E-commerce sites often hold records of customer payment details and credit cards. Hackers can steal this to make illicit purchases, sell it on to other criminals, or use it for fraud and scams.
- Sensitive data: Ecommerce businesses gather troves of valuable data. Again, if they can gain unauthorized access, hackers can sell this on to other criminals who can use it for the purposes of fraud, identity theft and extortion.
- Ransoms: As Adam points out, every minute your website is down, you lose online shopping revenue. Many firms will be tempted to pay ransoms to minimise their losses.
- Complex IT stacks: Most e-commerce businesses have very complex IT stacks. You need a CMS, CRM, payment systems, customer accounts, logistics and inventory management software, IoT devices, plus many legacy backend systems (particularly if you have a heritage bricks & mortar presence). The more apps and tools you use, the more likely it is that criminals can find a weakness and break in.
What types of attacks do criminals use against ecommerce businesses?
There is an extraordinarily wide variety of retail cybersecurity threats facing the industry. As one recent academic research paper characterised it, this is a “never-ending challenge”.
Here are just some of the kinds of retail cybersecurity threats our clients face:
Account takeover
Criminals steal or guess customer login details then use these to fraudulently make purchases.
Malware
Hackers find ways to install this software in your environments. It works in the background to collect sensitive customer data and other information of value.
Ransomware
This is many cybercriminals’ end goal – if they can launch a successful ransomware attack and lock you out of your systems, they can try to force you to pay a ransom to return access.
Credential stuffing
Hackers sell databases of stolen email addresses and passwords on the dark web. With credential stuffing, other criminals use these stolen IDs to try logging into thousands of websites (this can be fruitful since many people use the same password for multiple websites).
Phishing and social engineering
Phishing is the most common primary cyberattack vector, according to IBM. And it’s particularly prevalent in ecommerce, where criminals will send emails or even call companies up to trick them into sharing customer data.
The recent major cyberattack against UK retailer M&S is reported to have begun with a social engineering attack, where the hackers ‘tricked’ the company’s outsourced IT helpdesk into handing over credentials.
Related: How scammers are using AI impersonation
DDoS (distributed denial of service)
In a distributed denial of service attack, attackers will use a botnet to overload an e-commerce website with traffic, causing it to fail. This can have disastrous consequences – especially during busy shopping seasons.
E-skimming and man-in-the-middle attacks
Hackers use various methods to intercept customer payment details when they’re interacting with websites in order to steal sensitive data.
Website spoofing
Criminals will create spoof websites that appear to sell your company’s products – or which even mimic your site’s design and name.
Learn more: What is spoofing?
Consequences of retail cybersecurity breaches
A cybersecurity breach can have enormous and far-reaching consequences for retailers. Here are just some of the impacts they can have:
Lost customer trust: According to one survey, 66% of US customers would no longer trust a brand that fell victim to a data breach.
Fines: In many jurisdictions around the world, a data breach puts firms at risk of regulatory fines if it’s found they had lax security.
Ransoms and data encryption: As already mentioned, some firms choose to pay ransoms – which can amount to hundreds of thousands of dollars.
Lost revenue: If your website, payment system or logistics software stop working, you’ll be unable to continue selling products. Often, this is the biggest cost of data breaches in the industry.
Standards and regulations covering cybersecurity in retail
If you are responsible for the security of an e-commerce site, it’s important to comply with a number of regulations that touch on cybersecurity:
- EU General Data Protection Regulation (GDPR): Ecommerce businesses must meet minimum data protection and encryption standards and report any incidents or data breaches to the authorities.
- California Consumer Protection Act (CCPA): Similar to the GDPR, it requires businesses to implement reasonable security measures to protect personal information from unauthorised access and use.
- GDPR equivalents worldwide: Several countries have implemented regulations similar to the EU’s GDPR. These include Brazil’s LGPD, Japan’s APPI and India’s DPDA.
- Payment Card Industry Data Security Standard (PCI-DSS): This is a set of rules and standards designed to help companies that handle payment card data to keep that information secure. PCI DSS compliance is critical for building trust with customers.
- ISO standards: There are a number of International Standards Organization standards that apply to ecommerce companies and which help protect sensitive customer data. These include ISO/IEC 27001, ISO/IEC 27701 and ISO/IEC 22301.
Cybersecurity challenges for security teams in retail businesses
Security staff and analysts who are responsible for ecommerce websites face a variety of challenges. Here are some of the most common issues that our clients tell us about:
You have too many security apps
“The complexity of configuring and managing all these different tools is overwhelming. It feels like we need a dedicated team just to keep them running.”
– Comment from a retail industry-focused MSP in a Heimdal survey.
As the above comment from a respondent to our recent survey reveals, many retail cybersecurity professionals are overwhelmed by the sheer number of security tools they use – and endless notifications they need to respond to.
Poor data security at smaller retail stores
Research suggests that smaller ecommerce businesses tend to have relatively poor cyber defences. For example, one recent survey found that over half of SMEs have not implemented any cyber resilience strategies.
Conflict between security vs user experience
Ecommerce site owners are, understandably, focused on designing user friendly sites with the fewest possible obstacles to people buying products.
Unfortunately, this often clashes with the priorities of security staff who want to introduce more levels of protection into the customer journey. Balancing these competing priorities is a challenge.
Retail cybersecurity statistics and trends
If you’re in charge of an ecommerce business’s cybersecurity, it’s valuable to know about industry trends. The following statistics paint a picture of the industry in 2025:
- Major target: In 2024, 6% of all cyberattacks worldwide targeted the retail and wholesale industries, according to Statista. That’s equivalent to one in every 20 data breaches.
- Brand damage: One survey found that 75% of consumers would stop online shopping with a brand that suffered data breaches.
- Upward trend: According to one analysis, there were 1,500 data breaches reported in the e-commerce industry in 2020, but this rose to 2,300 in 2023.
- Expensive: According to a 2025 IBM report, data breaches cost retail firms $3.54 million on average. And some can cost significantly more.
Major e-commerce customer data breaches and cyber attacks in 2025
The retail industry has been hit by several high profile data breaches in recent years. These include:
- 2025 – UK – Marks & Spencer: British high street brand M&S suffered a major breach in spring/summer 2025 when hackers used social engineering to enter their systems and launch a ransomware attack. The disruption to the brand’s online and bricks & mortar outlets was estimated to be some £300 million (~$400m).
- 2025 – Germany – Adidas: The global sportswear manufacturer suffered a cyberattack in early 2025 that saw hackers steal customer contact information.
- 2025 – USA – North Face: The vendor of outdoor adventure gear saw customer names and email addresses stolen following a credential stuffing breach.
Cybersecurity in retail and ecommerce: protecting your business
At Heimdal, we work with numerous ecommerce industry brands to help protect them from retail cybersecurity threats.
Through our work with companies like Watersones, JYSK, Kaufmann and many others, we’ve developed a deep understanding of how ecommerce businesses operate, and how to keep them secure.
Each retail company is unique, but there are several security measures that apply to most firms in the industry. Here’s where to start:
Get essential security measures in place
Ecommerce firms need to roll out certain essential security solutions to protect business operations and boost customer trust. These include:
- Modern firewalls and antivirus
- Follow regulations – especially GDPR and PCI DSS compliance
- Segment data internally, and separate financial information from other customer information
- Encrypt data at rest and in transit
- Get HTTPS and SSL certificates for your ecommerce site
- Develop a password policy for employees
- Rollout ransomware solutions and phishing protection
Implement advanced information management
These security measures make it harder for attackers to steal customer data and improve your overall posture:
- Require customers and employees to use two-factor or multi-factor authentication (MFA)
- Use Zero Trust policies internally and with any contractors
- Use AI-powered XDR technology to scan for unusual activity in customer and employee accounts
- Implement data retention policies – and periodically delete older customer data and unused accounts
- Create an incident response plan in case you are ever breached
- Create regular backups of customer accounts and payment data so you can restore business operations quickly in case of a ransomware attack
Keep security up to date
Cybersecurity for ecommerce and retail websites is not a ‘one and done’ thing. You need to continually be monitoring for new kinds of threats:
- Conduct periodical penetration testing and threat hunting to discover security vulnerabilities
- Implement patches automatically for all your software and apps
- Train employees regularly on password security and how to ‘spot’ possible phishing attacks
- Monitor for emerging cyber threats, such as AI-enhanced attacks
Your partner for cybersecurity in retail & ecommerce
We know how important customer trust is for our ecommerce clients. That’s why we’re dedicated to helping them use the most robust security measures.
-Adam Pilton, Cybersecurity Advisor at Heimdal.
For many years, Heimdal has worked with leading brands in the ecommerce and retail sector. We’ve developed a deep understanding of the industry’s unique needs and requirements – and have developed powerful solutions to keep them, and their customers’ data, protected.
Our unified cybersecurity platform approach is unique in the industry. It allows you to ‘pick and choose’ from our comprehensive range of cybersecurity solutions and connect the specific tools you need to your central dashboard.
Learn more about our unified cybersecurity platform – or contact us today for a demo.