Why Online and Physical Retailers Are Increasingly Targeted by Cyber Criminals

Retailers sit at a particular intersection of cyber risk: they process payment card data at scale, hold customer personal information, operate under time pressure that discourages security friction, and frequently combine physical premises with online channels in ways that create a complex security perimeter. For small and medium-sized retailers — whether online, physical, or both — the threat profile is more serious than most owners appreciate, and the entry points attackers use are often not the ones retailers are watching.

Payment Card Data: The Primary Target

Card-not-present fraud — fraud using payment card details where the physical card is not presented — costs the UK payments industry hundreds of millions of pounds annually. The card details used in these attacks are harvested from retailers through several well-documented mechanisms.

Web skimming (Magecart attacks). Malicious JavaScript injected into an e-commerce website that silently captures card details as customers enter them at checkout, transmitting the data to an attacker-controlled server. The customer experiences a normal checkout process. The retailer's systems show a successful transaction. The card data has been stolen. These attacks are often discovered weeks or months after installation, by which point thousands of customer card details have been exfiltrated.

Magecart-style attacks typically enter through third-party JavaScript libraries included on the checkout page — analytics tools, chat widgets, customer review plugins — rather than through the retailer's own code. A compromise of any JavaScript library loaded on your checkout page is, functionally, a compromise of your checkout page. Retailers using hosted checkout solutions from major payment gateways (Stripe, PayPal, Braintree) reduce this risk significantly because card entry happens on the gateway's domain, not the retailer's.

Physical point-of-sale skimming. Hardware devices attached to or installed inside card readers on physical payment terminals. These devices capture card data from the magnetic stripe or intercept the PIN entry. For physical retailers, POS terminal security — ensuring terminals have not been tampered with, implementing tamper-evident seals, and training staff to recognise signs of tampering — is a specific control category that is often overlooked in broader cyber security discussions.

Database theft. Attackers who compromise a retailer's systems may target the customer database directly, extracting stored card details, customer personal information, and order histories. Retailers that store full card numbers — contrary to PCI DSS requirements — are creating a high-value target. Retailers that store card tokens, expiry dates, and customer references are still holding data that has commercial and fraud utility.

Customer Personal Data: Beyond Card Numbers

A mid-sized online retailer with 10,000 active customers holds personal data — names, email addresses, delivery addresses, purchase histories, and potentially date of birth and telephone numbers — for all of them. This data has direct commercial value on criminal marketplaces for targeted phishing and identity fraud. It also creates GDPR obligations that many small retailers have not fully considered.

Under UK GDPR, customer personal data must be held securely, retained only for as long as necessary, and — if breached — reported to the ICO within 72 hours where the breach meets the notification threshold. A retailer whose customer database is exfiltrated and whose customers are subsequently targeted with phishing emails using the stolen data faces ICO regulatory action, direct reputational damage, and potential civil liability.

Ransomware and Operational Disruption

For retailers, the timing of a ransomware attack is everything. An attack that takes the e-commerce platform offline during the pre-Christmas trading period, or that encrypts the inventory and order management system on Black Friday, creates revenue losses that dwarf the ransom demand and the recovery costs combined. Criminal groups that target retailers are aware of peak trading periods and time attacks accordingly.

Physical retailers face the additional risk that a ransomware attack encrypting their EPoS system makes the tills inoperable — unable to process card payments, unable to check stock, unable to process returns. For a retailer whose entire revenue depends on in-store transactions, even a day of till downtime has direct and immediate financial consequences.

The Supplier and Integration Risk

Modern retail operations depend on integrations: courier and delivery APIs, stock management systems, accounting software connections, loyalty platform integrations, and payment gateway connections. Each integration is a potential attack vector in both directions. A compromised courier API that an attacker uses to redirect delivery notifications can also be used to harvest customer order and address data. A stock management system with inadequate authentication that connects to both the retailer's network and a cloud service creates a pathway that bypasses the retailer's own perimeter controls.

The supply chain security consideration applies to retailers as directly as to any other sector: your operational technology is only as secure as the integrations you have built around it.