IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Uk shopping street cyber risk retailers digital locks warning signs
#
Data Protection
#
Ransomware
#
Email Security

UK retailers warned as critical cyber flaws risk GBP £300 million

Wed, 30th Jul 2025
Author image
By Shannon Williams, News Editor

Four out of five of the UK's top 50 retailers have been found to have at least one form of critical cyber vulnerability, according to research conducted by cyber risk specialist KYND.

The analysis examined the top 50 retailers in the UK by revenue and highlighted that more than a third, or 38%, of these retailers face critical risks across all five main threat categories at the same time. These categories include ransomware exposure, email security weaknesses, outdated software, vulnerable services, and certificate issues.

KYND characterises critical or 'red' risks as vulnerabilities that are highly likely to lead to business interruption if not addressed. The research found that the majority of the organisations analysed had at least one critical red risk in every category. Specifically, 80% were discovered to have email security vulnerabilities, 72% had certificate issues, 70% had vulnerable services, 70% were using outdated software, and 58% were exposed to ransomware risk.

These findings come in the wake of several high-profile cyber incidents affecting large retail chains in the UK, including M&S, the Co-op, and Harrods. M&S recently stated that a hack initiated in April is expected to cost at least GBP £300 million in lost profits.

Growing digital risks

Commenting on the research, Andy Thomas, Chief Executive Officer at KYND, linked the results to the increasing reliance of the retail sector on digital infrastructure. He noted:

Retailers hold enormous volumes of sensitive data and operate complex supply chains, so even a seemingly minor oversight - like an expired certificate or unpatched software - can quickly become an open door to attackers. These results are a wake-up call for the sector to focus on the fundamentals: visibility, prioritisation and proactive monitoring.

Email security emerged as the largest vulnerability by number, with 9,239 critical issues identified amongst the 50 companies analysed. KYND warns that such weaknesses could leave retailers susceptible to phishing or spoofing attacks. Other vectors were also significant, with 1,180 critical issues related to vulnerable services and 1,073 certificate-related issues identified.

For more than a third of retailers, overlapping vulnerabilities were found, which KYND warns may compound the risks and increase overall exposure to attacks.

Call for improved practices

KYND is recommending that retail businesses take several key steps in response to the research findings. These recommendations include gaining full visibility over all digital infrastructure to accurately understand the extent of risk exposure. The company notes that most of the identified issues are visible externally, rendering them attractive targets for cyber criminals.

Other measures advised by KYND involve prioritising the remediation of actively exploited and high-impact vulnerabilities, such as those catalogued in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) list. Retailers are also encouraged to address foundational weaknesses by strengthening email security, regularly patching software, and ensuring timely certificate renewal.

KYND also emphasises the importance of shifting from sporadic cyber risk assessments to continuous monitoring of the attack surface, as new vulnerabilities can emerge frequently. Retail businesses are further urged to evaluate cyber risks within their third-party supplier networks and assist those partners with remediation of critical issues.

Discussing the broader business implications, Andy Thomas added:

Today, cyber risk is a board-level concern with serious financial, operational, and reputational implications. For retailers operating in an increasingly digital environment, managing cyber risk as a core business risk is essential to maintaining resilience and protecting long-term value.

Certificate issues, according to KYND, are significant given that digital certificates play a critical role in secure online communications and data protection. Misconfigurations, expired, or revoked certificates can undermine security, potentially making organisations vulnerable to attacks.

This research highlights existing systemic cyber vulnerabilities within large-scale UK retail organisations and underlines the need for industry-wide improvements to improve operational resilience, particularly as the digital threat landscape expands.

Related stories
CrowdStrike gains ISO AI governance boost for Falcon
MOTHER AI unveils UK-built sovereign language model
SER rebrands as Doxis, unveiling document intelligence push
Integrated Quantum unveils quantum-resilient AI data layer
Check Point unveils AI-ready continuous exposure management

Top stories

AI data matching: boosting accuracy & cutting costs
UK bill accelerates shift to offensive cyber security
Komodor bolsters leadership for AI driven SRE growth
Cyderes names Lana Knop Chief Product Officer for AI push
Canada’s AI push hinges on data centres & clean power