![\"Retail](\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\")
<\/a><\/p>\n<\/p>\n
The hammering UK retailers took in 2025 from cyber security incidents has pushed the subject higher up corporate agendas, writes Ed Hayes, partner at TLT law firm (and ex-Clarks head of legal)\u2026<\/em><\/strong><\/p>\n 10 days of doom in late spring that hit Marks and Spencer, the Co-operative Group, and Harrods, focused minds on the consequences of cyber attacks.<\/p>\n With Heathrow Airport, Adidas, H&M, and Jaguar Land Rover among the big retail and leisure sector names also impacted in 2025, the message is stark: cyber risks are real and growing.<\/p>\n While retailers are naturally reticent about disclosing full details of attacks, publicly available information points clearly to supply chain targets. The Adidas incident was an attack on a third-party customer service provider; the Heathrow attack targeted a provider of electronic check-in and baggage services; and an incident hurting deliveries to major supermarkets was an attack on a third party logistics provider.<\/p>\n With the traditional supply chain moving from haulage and warehousing to ecommerce platforms, managed IT providers and POS vendors all connecting into retailers\u2019 systems, the risk has heightened in recent years.<\/p>\n Criminal attackers like supply chains for the same reason as retailers: scale and speed. Compromising one widely used supplier opens routes into dozens of downstream organisations. In light of this, the UK\u2019s National Cyber Security Centre (NCSC) has long pushed organisations to treat suppliers as part of their security perimeter and to manage risk systematically rather than by \u201ctick-box\u201d questionnaires.<\/p>\n What do supply-chain cyber risks look like?<\/strong><\/p>\n Small supplier, big doorway<\/em> Abuse of trusted connections<\/em> Software compromise<\/em> Data leak<\/em> What legal issues does this present?<\/strong><\/p>\n A retailer\u2019s legal obligations don\u2019t fall away because it is targeted indirectly through a third-party supplier, rather than in an attack on its own systems. If personal data is involved, UK GDPR requires that a retailer has \u201cappropriate technical and organisational measures\u201d, including ensuring the robustness of supply chain partners.<\/p>\n Contracts should set out security expectations, assistance requirements, and incident management protocols. Failing to mandate and check vendors in the supply chain have appropriate security measures, resulting in a data loss, can leave a retailer responsible for ensuing data losses.<\/p>\n For virtually all retailers, focus on payment security is a daily operational reality. PCI DSS v4 introduced new payment card security requirements, effective spring 2025, raising the bar on areas such as authentication, and anti-phishing controls. Any retailer outsourcing payment processing needs confidence in supplier compliance with those standards, and that integration choices don\u2019t leave gaps.<\/p>\n While most retailers are not directly regulated as \u2018operators of essential services\u2019 under the Network and Information Systems Regulations 2018, the UK is moving toward stronger oversight of cyber resilience across critical services and their dependencies.<\/p>\n The Government\u2019s Cyber Security and Resilience Bill (introduced November 2025) is framed as reforming and adding to the NIS regime, focusing on supply chain risks and sectors such as managed service providers and data centres. That should have knock-on effects for contract terms, audit rights, and incident response arrangements.<\/p>\n What protections are needed?<\/strong><\/p>\n Supply chain cyber risk should be treated like any other material business risk: prioritised, measured, and with controls built into commercial processes.<\/p>\n Hope for 2026?<\/strong><\/p>\n One of the few upsides of the awful 2025 that retailers suffered on the cyber threat front is growing awareness of the criticality of supply chain security.<\/p>\n Suppliers are coming to understand the security demands that retailers rightly have, driving improvements in their contractual and operational starting positions.<\/p>\n Supply chain vendors that don\u2019t adapt and improve will be left behind by retailers that can\u2019t afford the cost of cyber risks being baked into their IT systems by third parties. That coincidence of retailer awareness and enhanced supplier offer can materially reduce cyber risk profile.<\/p>\n
<\/strong>A local maintenance contractor with weak security controls can be a route into a retailer\u2019s systems. VPN access, mailbox access, or an API key, is often enough for an attacker to move laterally in a retailer\u2019s IT systems after compromising a single third party.<\/p>\n
Most retailers run on integrations: EDI links to suppliers, APIs to couriers, single sign-on cloud services, remote support for store systems, etc. An attacker doesn\u2019t need to hack a firewall if it can log in through a legitimate third-party route.<\/p>\n
Retail platforms typically depend on third-party components and frequent updates. A compromised update, malicious dependency, or stolen code-signing credential lets an attacker deliver malware straight into a retailer\u2019s production environment cloaked as standard change activity.<\/p>\n
An initial compromise might be \u201cjust\u201d a supplier, but typically the retailer impact is large: loyalty data, customer contact details, employee HR data, or product and pricing strategies, are targets for criminal hackers once they are \u2018in\u2019. Most attacks combine service disruption with the threat of publication of customer and staff personal data.<\/p>\n\n
Any retailer needs to understand its supply chain end-to-end, and have clarity on which suppliers can
affect operations or data. The NCSC has published helpful supply chain guidance, which focuses on
establishing oversight and control, without expecting perfect knowledge.<\/li>\n
A key step is reducing the \u201cblast radius\u201d of an attack by ensuring supplier access is limited to the
minimum required, time-boxing privileged access, enforcing multi-factor authentication, and
separating store networks from corporate systems. If retailers assume credentials will be stolen at
some point and design systems to ensure that one stolen account cannot have wider ramifications,
cyber risk will be mitigated.<\/li>\n
Too many contracts treat security as an after-thought. Supplier policies and procedures are accepted
unchecked, specific security controls are not mandated, incident handling protocols are not
established, unrestricted sub-contracting is permitted, or rights to audit are not included.<\/li>\n
Retailers should be insisting on independent assurance (e.g., SOC 2 reports, ISO 27001 certification,
penetration test summaries) of supplier security compliance, and ensuring they have the capability to
audit and interpret what\u2019s covered<\/li>\n
The retailers best able to respond to almost inevitable attacks on partners are those that run regular
exercises that test response to failure at some point in the supply chain. There should be readily
deployable playbooks including information on isolating integrations quickly, rotating API keys, and
customer and regulator communications.<\/li>\n<\/ul>\n