Retail cyber-attacks reflective of ‘patchwork’ IT infrastructures and weak regulatory systems, says expert

Too many businesses are treating cybersecurity as an optional extra rather than a necessary investment, says a Bayes Business School expert in technology and innovation, responding to recent cyber-attacks on Co-op and Marks & Spencer and an attempted breach at Harrod’s.

Marks & Spencer have this week claimed customers’ personal data were seized by hackers, including addresses and contact details. The attack led to the retailer suspending online retail, costing it in excess of £43 million a week.

Co-op, meanwhile, was forced to shut down some of its supply chain operations to mitigate a separate attack—resulting in disruptions to deliveries and stock.

Professor Feng Li, associate dean for research and innovation at Bayes Business School, said retailers had become an easy target for hackers by using outdated systems.

“The recent cyber-attacks on M&S and Co-op illustrate systemic weaknesses within retail IT environments—neither are particularly surprising,” he said.

“In businesses with legacy systems and patchwork IT infrastructures, which commonly include retailers and banks, such vulnerabilities are problems waiting to happen. We have been talking about such issues for more than a decade but so far there have been no material improvements.

“Hackers’ specific motivations remain speculative, but their techniques, including exploiting simple process failures by impersonating employees, highlight persistent and fundamental security gaps rather than sophisticated cyber methods.

“Retailers on tight margins have historically underinvested in comprehensive cybersecurity measures, leaving critical legacy systems increasingly vulnerable. These infrastructures amplify risks, particularly as companies expand their digital integration with third-party platforms, each connection further broadening their vulnerabilities.”

Retailers are a rich source of personal and financial data with an increasingly online customer base, and recent breaches are sure to put competitors on high alert. Professor Li, who serves on a government-sponsored cybersecurity steering group, added that regulations and company attitudes to attacks also needed revisiting.

“Current regulatory frameworks lack sufficient urgency or enforcement to drive substantial cybersecurity improvements, without imposing significant costs or new liabilities,” he continued.

“Some businesses treat cybersecurity as an optional expenditure rather than an essential strategic investment.

“Until the retail sector fundamentally shifts its approach to proactively address technological debt, secure system integrations, and actively enforce cybersecurity procedures, we should anticipate recurring breaches.

“The rapid advancement of AI will likely simplify the exploitation of these vulnerabilities, and there is no easy solution in sight.”