Navigating cyber threats in the retail and leisure sector

In today’s digital age, businesses face an unprecedented threat from cyberattacks. A particularly vulnerable sector is the retail and leisure sector, whose cyberattacks often gain public attention.

Almost all brands now have a digital presence; they have e-commerce sites and are increasingly relying on digital platforms like social media to engage with customers and sell products. However, this makes them prime targets for cybercriminals seeking to exploit vulnerabilities.

Earlier this month, Capita was fined £14m by the ICO following a 2023 data breach containing the personal information of 6.6 million people. For some, highly sensitive information was compromised such as criminal records data, financial data and other special category data.

This blog post aims to inform businesses about the growing risks and the importance of investing in robust cybersecurity measures.

Case study: the retail and leisure sector

The retail and leisure sector has witnessed a significant increase in cyberattacks in recent years. M&S suffered a devastating cyberattack earlier this year, which is estimated to cost one third of its annual profits for the 2025/26 financial year, approximately £300 million.

In addition, luxury brands are becoming prime targets, with several high-profile brands experiencing data breaches in the past year, for example a leak in July 2025 affected approximately 419,000 Louis Vuitton customers.

Luxury brands attract cybercriminals due to their high-value transactions and access to personal data of affluent customers. This trend highlights the increasing sophistication and persistence of cybercriminals. They are no longer solely financially motivated by the business; they now seek to exploit customer data, which is used for secondary cyberattacks.

Practical steps to enhance cybersecurity

No organisation is immune to cyberattacks and businesses should adopt a proactive approach to cybersecurity. Here are some practical steps to enhance resilience:

1. Conduct regular security audits and risk assessments: Identify and evaluate potential vulnerabilities within your IT infrastructure. Regular assessments and testing will help to understand the evolving threat landscape and adapt your security measures accordingly to comply with industry standards.
2. Implement incident response plans: Establish clear policies and procedures for data protection, cybersecurity and incident response. These should be reviewed and updated regularly. An effective plan should outline the steps taken in the event of an attack, including communication protocols and recovery procedures.
3. Due diligence: Ensure third parties you work with adhere to robust security measures.
4. Data minimisation: Limit the personal data you collect to essential information only and delete data which is no longer required, reducing the impact of any unauthorised access.
5. Staff training: Educate employees on recognising and responding to cyberattacks, such as who to contact. Human error is still a leading cause of data breaches and doing this will foster a culture of security awareness. Training should cover best practice, phishing and social engineering to train employees on signs, even with more sophisticated attacks.
6. Invest in protective measures: The effects of cyberattacks can be devastating however investing in protective measures such as encryption or multi-factor authorisation can protect sensitive data. Cybercriminals often exploit outdated software to gain access to systems.
7. Governance: Keep aware of regulatory changes and evolving threats affecting your sector, such as lessons learned from previous incidents. Staying ahead of potential risks is crucial for the long-term success of any organisation.
8. Seek advice: Professionals such as lawyers and cybersecurity experts can provide tailored advice and solutions to enhance your cybersecurity.

Maintaining trust and brand reputation

Cyberattacks are constantly evolving to become more personalised so it can be difficult to know where to start. However, in the retail and leisure sector, keeping customer data safe is paramount.

By demonstrating a commitment to safeguarding customer data, businesses can protect against significant financial losses and protect the brand’s future by building trust and long-lasting relationships with loyal customers, boosting brand reputation and differentiating themselves in a competitive market. Staying ahead of cyber threats is not just a necessity but a strategic priority

How we can help

If you would like support in understanding your data protection obligations and strengthening your current procedures, please contact our Commercial & Technology team. We understand the unique challenges faced by luxury brands and are here to help.