From the aisles of iconic British department stores to the backend systems of global wellness and fashion brands, the first half of 2025 has delivered a brutal reality check for retail cybersecurity. Highly coordinated cyberattacks—often involving third-party contractors and phishing exploits—have brought online operations to a halt, disrupted supply chains, and exposed critical customer data.
Here are the most significant retail cyberattacks of the year (so far), how they unfolded, and what they’ve revealed about growing vulnerabilities in the sector:
1. Marks & Spencer (UK) — The Easter Shutdown That Shook British Retail
Timeline: April 19–June 10, 2025
Attack Vector: Phishing + third-party vendor breach
Impact: £300 million revenue hit, 46 days of online shutdown, widespread delivery disruption
Over the Easter weekend, Marks & Spencer was hit by a debilitating cyberattack that targeted one of its third-party IT contractors. Hackers affiliated with the cybercriminal group "Scattered Spider" exploited weak authentication protocols to gain access via a phishing campaign and SIM-swapping.
The breach crippled M&S’s digital operations. Online clothing orders were suspended from April 25 through June 10, while food delivery logistics and in-store payment systems faced intermittent disruption. The result was a 46-day shutdown of key e-commerce capabilities during peak shopping weeks.
The financial fallout was severe: M&S projected a £300 million impact to operating profit for the year, with insurance expected to recover roughly £100 million. Clothing sales dipped more than 20% during the worst weeks of disruption. Food sales growth slowed from 14.7% to 9.1% year-on-year. The company also lost more than £1 billion in market capitalization in the immediate aftermath.
UK authorities, including the National Cyber Security Centre (NCSC) and the National Crime Agency, are investigating. M&S responded by resetting internal credentials, enhancing contractor vetting, and accelerating planned IT upgrades.
2. Harrods & Co-op (UK) — Prestige and Daily Essentials Disrupted
Timeline: Late April–Early May 2025
Attack Vector: Phishing + system compromise via digital vendor
Impact: Checkout system failures, leaked employee credentials, partial store outages
In the weeks following the M&S attack, Harrods and Co-op both disclosed separate cyber incidents, believed to be carried out by affiliated threat groups using similar attack techniques.
Harrods experienced backend disruption, with unauthorized access reported to the database infrastructure. While no specific customer data theft was confirmed, the company undertook emergency system checks and data integrity reviews. Co-op was more directly impacted: employee and customer credentials were accessed, resulting in login issues and temporary checkout disruptions at select stores.
Both retailers have since restructured their authentication frameworks. Co-op implemented password resets across its workforce and enforced stronger endpoint protection. Harrods invested in upgraded database encryption and initiated a broader review of its digital vendor ecosystem.
3. Victoria’s Secret (US) — When Glamour Goes Dark
Timeline: May 24–June 3, 2025
Attack Vector: Suspected ransomware attack
Impact: Website offline for 5 days, 10-day delay in earnings release, stock down 7%
In late May, Victoria’s Secret suffered a cyber incident that forced it to take its website and related systems offline for several days. While the company did not confirm the nature of the breach, external reports and analysts suspect it involved ransomware targeting the brand’s e-commerce infrastructure.
Between May 24 and May 29, the retailer’s website remained inaccessible, affecting both direct sales and fulfillment operations. Physical stores were not affected, but the timing—just ahead of the Memorial Day weekend—resulted in significant lost revenue opportunities.
The incident also forced Victoria’s Secret to postpone its scheduled Q1 2025 earnings release, which was originally set for June 5 and delayed until June 14. Upon reporting, the company posted $1.35 billion in revenue and $32 million in operating income, but noted increased costs due to the breach. Investor reaction was swift, with the stock falling nearly 7% over the week.
The company has since resumed online operations, brought in external cybersecurity firms for forensic investigation, and stated that no customer payment data had been compromised.
4. UNFI & Whole Foods (North America) — The Supply Chain Freeze
Timeline: June 2025
Attack Vector: Systems-level infrastructure breach
Impact: Stockouts across grocery shelves, delivery delays, 8.5% drop in UNFI share value
United Natural Foods Inc. (UNFI), a major grocery distributor for Whole Foods and others, disclosed a systems disruption in June that slowed or halted logistics operations across North America. The company described the event as a cybersecurity incident that impaired warehouse and routing software.
Whole Foods customers across several U.S. and Canadian locations reported product shortages, particularly of perishables like dairy and produce. UNFI scrambled to reroute deliveries using alternate systems but could not prevent multi-day service gaps.
In response, UNFI’s stock dropped by 8.5%, and the company assured stakeholders that no customer or financial data had been stolen. A security overhaul is underway, including the introduction of network segmentation, system redundancies, and off-grid backups.
5. Adidas & The North Face (EU + UK) — Sporting Goods, Stolen Data
Timeline: May 2025
Attack Vector: Compromise of shared e-commerce infrastructure provider
Impact: Leaked customer info, GDPR compliance actions, localized sales disruption
A data breach in May involving a shared e-commerce vendor exposed personal data from customers of Adidas and The North Face across multiple European markets. The attackers accessed customer order details, account login credentials, and email addresses.
Both brands issued public notifications within the GDPR-mandated 72-hour window. Customers were advised to change their passwords immediately. While no financial data breaches were reported, the incident led to brief customer support outages and disrupted order tracking.
Regulators in Germany, France, and the UK opened formal inquiries. In response, Adidas and The North Face pledged to adopt zero-trust architecture across their platforms and initiated third-party security audits of all logistics and digital suppliers.
Conclusion
The wave of retail cyberattacks in 2025 has shown that no brand—legacy or digital-native—is immune. Third-party vulnerabilities, poor password hygiene, and over-reliance on outdated IT infrastructure have created fertile ground for threat actors.
As cybercrime continues to evolve, retailers are being forced to treat cybersecurity not as a backend IT issue but as a core operational and reputational risk. For those that don’t, 2025 has made one thing painfully clear: the cost of inaction is far higher than the price of preparation.