What does 2025 hold for cybersecurity in retail? asks Dan Holden, CISO at the platform BigCommerce.
The retail landscape is rapidly transforming, with technological innovation increasingly becoming both a competitive advantage and a potential vulnerability. As retailers embrace cutting-edge technologies like Generative AI to enhance customer experiences and operational efficiency, digital battlegrounds have become fraught with complex cybersecurity challenges. Cyberthreats have evolved from a technical afterthought to a critical boardroom discussion, reflecting the challenges faced in increasingly interconnected retail ecosystems. According to the British Retail Consortium (BRC) 2024 Crime Survey Report, 57 per cent of retailers reported an increase in cyberattacks and breaches. At least 90 per cent have also reported that cyberattacks have either stayed the same or increased yearly since 2015 – a stark reminder of the retail sector’s persistent and growing digital risks.
Here’s how I see those risks evolving in 2025:
Generative AI exploitation
As AI becomes deeply integrated into retail operations, the risks surrounding misuse are dramatically escalating. For instance, an AI-driven customer service chatbot can be manipulated by malicious actors, potentially leading to unauthorised access to sensitive customer data. In the coming year, cybersecurity experts predict attackers will increasingly target Generative AI models used by retailers, creating significant potential for operational disruptions and data breaches. These AI systems, now critical to retail operations, are vulnerable to sophisticated attacks that could compromise customer service efficiency and expose critical business vulnerabilities.
The core risk lies in the sophisticated ways attackers can exploit AI’s complex decision-making processes, turning what was once a technological advantage into a potential security liability. Retailers must recognise that their AI systems are not just technological tools, but potential entry points for cybercriminal activities.
Supply chain attacks
The complexity and distribution of digital ecosystems make them prime targets during high-demand periods. For example, as we have seen in the past, cyberattacks that hit supply chains can cause major delays and financial loss. These incidents underscore the vulnerabilities in supply chains during peak times of the year. In 2025, expect a rise in supply chain attacks during the holiday season, targeting ecommerce platforms and logistics providers, which could disrupt product availability and shipping.
Scrutiny on Third-Party Risk Management
The newly instated NIS2 Directive in Europe emphasises the importance of third-party risk, pushing companies to enhance oversight. Any data breach involving a third-party vendor must be disclosed – in turn affecting customer trust and even stock prices in some instances. In 2025, retailers will face heightened scrutiny over third-party risk management, with greater demand for transparency and accountability in managing these relationships during high-risk periods.
Surge in Identity-based Attacks
During the 2025 holiday shopping season, cybersecurity experts anticipate a significant surge in identity-based attacks targeting online retailers, with credential stuffing, phishing, and social engineering emerging as primary threats. These attacks leverage stolen login credentials, automated tools, and sophisticated psychological manipulation to compromise consumer accounts, even bypassing multi-factor authentication. Attackers will exploit the high-traffic volume of seasonal shopping, using tactics like fake sale notifications, spoofed customer support communications, and social media impersonation to hijack accounts, conduct financial fraud, and steal personal information. The complexity of these attacks stems from combining technological tools with emotional exploitation, making consumers particularly vulnerable during peak shopping periods – when they are distracted, excited, and more likely to lower their digital guard.
Situational awareness and geopolitical risks
The interconnectedness of global trade also means that disruptions in one region can have cascading effects. As we saw in early 2024, a geopolitical conflict in Eastern Europe disrupted supply chains for several luxury brands, leading to product shortages globally. In 2025, retailers will need to enhance their situational awareness of geopolitical risks, particularly those affecting supply chains and consumer confidence during the holiday season.
Cybersecurity in B2B Transactions: Safeguarding the Purchasing Journey
B2B transactions are increasingly becoming targets for sophisticated cyberattacks. In 2024, a leading global manufacturer reported a breach in its B2B platform that exposed sensitive transaction data, forcing the company to overhaul its security protocols and suspend operations temporarily. In 2025, large manufacturers and distributors must focus on securing B2B transactions and purchasing journeys through investments in end-to-end encryption and secure APIs.
Next Big Threats in Privacy and Fraud
The evolving landscape of digital fraud is evident in recent incidents. Retailers will need to be vigilant about emerging threats in data privacy and fraud, such as sophisticated scams and doppelganger websites, to best protect customer trust and comply with new regulation. As we look toward 2025, the retail cybersecurity landscape demands unprecedented vigilance, strategic foresight, and proactive risk management. The convergence of technological innovation, evolving cyber threats, and increasingly sophisticated attack vectors requires retailers to view cybersecurity not merely as a technical challenge, but as a critical business imperative.
Success will belong to those organisations that can seamlessly integrate robust security practices, maintain regulatory compliance, and preserve customer trust in an increasingly complex digital ecosystem.
