Tips for Protecting Against Retail Cyberattacks
As technology advances and hackers get ever more sophisticated with their attacks, cybercrime is accelerating, targeting all industries. Nearly one-quarter (24 percent) of all cyberattacks target retailers, making the industry the top target for hackers, according to Fortinet, a provider of cybersecurity solutions and services.
The security company cites the following reasons for retail’s popularity among hackers:
- Retailers often have access to personal identifying information.
- Some retailers might have similar cybersecurity infrastructures.
- Social engineering is often not prominent on the radar of many retailers.
Beyond the access to valuable customer information, retail is a popular target because there are so many ways to attempt to access their networks, says Omair Manzoor, founder and CEO of ioSENTRIX, another cybersecurity firm. “You’ve got customer-facing apps, loyalty programs, payment systems, in-store Wi-Fi, self-checkout kiosks, and supply chain integrations—all connected, all potential entry points. And the attackers know retail organizations typically run lean security teams.”
Lean security teams and simple technological defenses are not enough to protect retailers, experts note, particularly as identity-based attacks surge as attackers rely on multifactor authentication (MFA) fatigue, token theft, abuse of the oAuth protocol (an open-standard framework that enables apps to securely access user data from other services, like photos, contacts, or calendars, without requiring users to share their passwords), and misconfigured cloud applications to infiltrate and persist in target environments, according to the Huntress 2026 Cybercrime Report.
“Bad actors continued to abuse trusted infrastructure, like remote monitoring and management (RMM) tools and living-off-the-land binaries (LOLBins), to avoid detection before launching payloads,” the report says.
For the most part, retailers already do the table stakes well: firewalls, regular patching, device intelligence, behavioral detection, anti-social engineering training for staff, and other well-established defenses, says Peter Horadan, CEO of Vouched, an identity verification platform provider. But, “also critical is stepped-up verification for risky actions like password resets, new payment methods, shipping address changes, suspicious returns, and high-value purchases.”
Part of the challenge for retailers is that much of that technology for the e-commerce infrastructure is from the growing number of customer-facing apps developed by third parties.
Also complicating the retail environment’s security posture is the fact that retailers are under increasing pressure to deliver speed and frictionless mobile experiences, with features such as one-tap checkout, saved cards, and instant rewards, and to meet those expectations they might have to overlook other security protections, according to security experts.
“Our security researchers recently tested 20 top U.S. shopping apps and found that 90 percent of them store sensitive passwords and access codes directly inside the app, where hackers can easily find them. Every major marketplace app—Amazon, Walmart, Target, Temu, eBay—fails to verify that data sent between your phone and their servers stays secure,” says Rishika Mehrotra, chief strategy officer of Appknox, a mobile app security services and solutions provider.
Security Exposure from Third-Party Vendors
It also doesn’t help that retail runs on third-party partners for so many other systems, including payment processors, logistics platforms, marketing tools, even heating/ventilation/air-conditioning systems, and every one of them is a potential entry point for hackers. Take, for example, the 2013 Target data breach, which compromised roughly 40 million credit and debit card numbers. It began when hackers stole network credentials from Fazio Mechanical Services, a Pennsylvania-based HVAC subcontractor.
Because of that dependency, Rom Carmel, CEO and cofounder of cybersecurity startup Apono, urges retailers to view third-party vendor access as their highest-risk surface.
Vendor permissions should be narrow, temporary, and continuously reviewed, he and others suggest.
Most retail cyberattacks don’t begin with sophisticated zero-day exploits; they begin with someone—an employee, a contractor, a third-party vendor—who has more access privileges than they should, for longer than they need it, Carmel says. “That’s the uncomfortable truth retailers have to confront, because the standing permissions inside their cloud environments and customer-facing systems is usually the largest unguarded door in their businesses.”
Most major retail breaches in the past 10 years have followed the same pattern, according to Carmel: An attacker compromises one set of credentials, then quietly moves through systems that were left wide open from the inside. Point-of-sale networks, e-commerce back ends, customer databases, and loyalty programs are often connected by accounts and access pathways nobody has reviewed in years.
If a company has sensitive information in a physical building, it wouldn’t grant everyone access, says Don Warden II, president of Cyber Pros. “Network security should be approached the same way. The part of your network that handles customer payments should be separate from everything else. If something goes wrong in one area, you want it contained, not spreading.”
Think carefully about who has access to which systems and information, Warden recommends. “Not every employee needs to see every system. Not every outside vendor needs a standing connection into your business. Giving people only the access required to do their jobs sounds like a small thing, but it’s one of the most effective ways to limit your exposure if something goes wrong.”
The reality is that the majority of retail breaches aren’t the result of James Bond-level hacking, Warden says. “They happen because basic things got overlooked: an old password nobody changed; software that didn’t get updated; a vendor with more access than they ever needed. Those are the gaps attackers actually exploit, and fixing them doesn’t require a team of experts. It requires paying attention.”
Three-quarters of third-party apps don’t verify that payment data travels securely between the phone and the retailer’s servers, and half have misconfigured security settings that leave checkout information exposed, according to Mehrotra. “It’s like completing a purchase on public Wi-Fi with no password. Anyone watching can see your credit card details and transaction history,” he says.
Mehrotra also notes that some apps have critical network flaws that enable attackers to capture and reuse customer sessions to place fraudulent orders or expose customers to unauthorized loans and fraudulent credit applications, not just stolen checkout data.
Cybersecurity experts also point out that while sophisticated network intrusions do happen, a large number of retail attacks are due at least in part to some type of social engineering or phishing scheme.
“The biggest mistake I see retail clients make is treating cybersecurity as a technology problem when it’s really an operational one,” Manzoor says. “They’ll invest in a fancy firewall or endpoint tool and assume they’re covered. Meanwhile, a store manager is reusing the same password across three systems, and nobody’s tested whether the payment app actually validates transactions properly or just assumes the front end handles it.”
Manzoor adds that company employees are both the biggest vulnerability and the best defense when it comes to cyberattacks. Phishing simulations aren’t enough; employees need to understand why someone might call the store pretending to be IT support and asking them to plug in a USB drive, he states.
“Make the training scenario-based and retail-specific, not generic corporate security awareness that puts everyone to sleep,” Manzoor recommends.
Unique Threats from AI
Technology has been used for years by hackers to exploit networks and by security experts to attempt to protect them. Artificial intelligence (AI) takes this concept to the next level.
While AI is helping retailers more effectively meet customer needs, it also poses security issues.
Retailers are racing to deploy chatbots and shopping assistants that can answer questions, pull up orders, and increasingly take actions on behalf of customers, Carmel points out. But these AI agents are also a new social engineering target, often vulnerable to manipulation to reveal information or take actions they were never meant to. As with humans, it’s important to limit the AI’s access to data. An AI agent helping a customer track an order doesn’t need access to the full customer database, payment systems, or internal tools. Decide exactly what each AI agent can touch, segment it away from anything it doesn’t need, and enforce your policies at runtime, experts suggest.
While AI can certainly help protect retailers’ networks, there’s the danger of relying on the technology too much, cautions Dean Hickman-Smith, chief revenue officer of Testlio, a software testing solutions provider. He notes that when using AI to help with security, companies should do the following:
- Test under real customer conditions, not ideal ones. Evaluate AI the same way customers actually use it: during peak traffic and with incomplete prompts, ambiguous questions, and emotionally charged scenarios like returns or delivery delays.
- Test across devices, geographies, languages, and accessibility needs.
- Validate consistency across channels.Many retailers deploy AI in silos—one experience for chat, another for voice, another for search. Customers don’t see those boundaries. If AI gives one return policy in chat and another via voice, the experience is broken, even if each system is technically working.
- Test with real people in the loop, not just scripted scenarios.Customers ask unclear questions, switch devices mid-journey, and bring emotion into the interaction. These human variables are where AI fails most often. Scripted prompts miss ambiguity, frustration, and edge cases. Real human testing surfaces misleading answers before customers do.
- Treat AI governance as a CX function.AI agents are customer-facing employees operating at a massive scale. They need the same oversight as frontline staff, including escalation paths, confidence thresholds, clear guardrails on regulated topics, and defined moments when not answering is the right answer.
Still, even with solid anti-hacking technology and excellent employee training on security, compromises will still occur, experts warn. That is partly because new threats are always emerging as well and will continue to do so.
Among them, web skimming attacks will become more common, experts warn. In this kind of attack hackers subtly extract payment data from a breached checkout stream, says Zbynek Sopuch, chief technology officer of Safetica, which makes an AI-powered platform integrating data protection, insider risk, cloud security, and compliance.
Experts also expect to see more cases of supply chain manipulation at the application layer, in which a plugin, an analytics script, or an integration is targeted, but the application itself is not visibly breached to the end consumer.
Account takeovers to gain revenue and data will also become more common. This happens when actual users are impersonated through credential stuffing and session hijacking attacks to gain access to and operate inside of legitimate accounts. Once inside an account, fraudsters can redeem loyalty points, access stored payment data and other user information, and corrupt signals on customer behavior, leading to key data pollution.
Retailers are likely adding to the supply-chain attacks without even realizing it by onboarding APIs, mobile capabilities, and in-store connected technology more rapidly than testing and securing them.
“Prepare for disruption, not just prevention,” advises Rekha Shenoy, CEO of BackBox, which provides a cyber-resilience platform for network infrastructure. “Downtime now costs the global economy roughly $400 billion a year. Retailers feel that disproportionately because every minute offline is revenue walking out the door. Tested response plans, validated backups, and clear escalation paths matter as much as the firewall does. The retailers who weather an incident well aren’t the ones who never get hit; they’re the ones who rehearsed for the day they would.”
“Have a plan for when things go sideways,” Warden adds. “Not if. When. Businesses that come through incidents well aren’t just lucky. They’ve thought through what to do, who to call, and how to communicate with customers before the pressure hits.”
Phillip Britt is a freelance writer based in the Chicago area. He can be reached at spenterprises1@comcast.net.
Best Practices for Securing the Retail Environment
Maintaining a retail security posture that minimizes data theft possibilities is certainly a daunting task. Staying one step ahead of fraudsters is a constant struggle, and fraudsters only need to be on target once while countermeasures have to be effective all the time. To help with that, several security experts have a number of recommendations, including the following:
- Test customer-facing applications like an attacker would, without relying on an automated scan, cautions Omair Manzoor, founder and CEO of ioSENTRIX, a cybersecurity firm. “A real person trying to manipulate checkout flows, loyalty point balances, gift card systems, and account takeover scenarios are business logic flaws that no security tool catches because the tool doesn’t understand what a gift card balance should do. We regularly find ways to manipulate pricing logic, stack discounts that shouldn’t stack, or access one customer’s data from another customer’s session.”
- Segment networksso that a compromised point-of-sale terminal doesn’t give an attacker a path to customer databases. Though a simple defense, most retail breaches start with one entry point and end with the attacker moving laterally into other systems they never should have reached from that starting position.
- Treat IT and security as a single function, not two separate ones. In retail, the network team that manages store connectivity and the security team that monitors threats are often working from different playbooks, with different tools, and sometimes toward different priorities, says Rekha Shenoy, CEO of BackBox. “Attackers exploit those seams. When roughly a third of IT and security professionals describe their own collaboration as weak, it’s a strategic vulnerability. Establish shared ownership of critical assets like point-of-sale systems, e-commerce platforms, and payment infrastructure, and make sure everyone knows who responds to what when something breaks.”