This article is provided by BRC Associate Member, Foot Anstey.

__________________________​

The well-publicised trio of cyberattacks against three of the UK's most established retailers in the past few weeks is a wakeup call that UK retailers are a prime target for hackers and bad actors.  Whilst the industry has raced to build out e-commerce platforms and digital infrastructures over the past few years, an insufficient prioritisation of cyber risk has left many organisations (which hold huge amounts of customer personal data) extremely vulnerable to malicious cyberattacks.

What the events of the last few weeks has also shown, it is that attacks can cause unprecedented disruption to services which, in turn, results in massive reputational and financial loss (estimated at £300m for one of the trio at the time of writing). Cyberattacks are now, undoubtedly, a real and existential threat to organisations operating in the UK retail sector.

It isn't just large organisations which are affected – cyberattacks are on the rise for businesses of all sizes, with 50% having experienced a breach in the past year. Recently, a school in Chester was forced to shut for two days while a cyber-security company investigated a ransomware attack.

Clearly, this type of incident causes immense reputational, financial and operational harm. However, cyberattacks are even more damaging if they also result in a data breach, as a business will immediately be at risk of investigation by the Information Commissioner's Office (the UK data protection regulator) and corresponding fines or penalties. As at the date of this article, it is understood that a number of recent cyber incidents against UK retailers did unfortunately result in loss of customers' personal data.

Whilst suffering a data breach is not a breach of UK GDPR per se, the ICO will penalise businesses if the breach is as a result of insufficient security measures having been implemented. Penalties can then be even more severe if the ICO discovers that a business did not have in place suitable policies, training programs or compliance processes.

Lesson 1: Focus on resilience and obtain specialist cybersecurity advice.

  • Under UK GDPR, organisations must take continual and proactive steps to protect themselves against cyberattacks. This could include ensuring IT systems have multi-factor authentication (or equivalent protection), regularly scanning for vulnerabilities, and installing the latest security patches without delay. 
  • Depending on the nature of the organisation, it may be appropriate for businesses to engage cybersecurity specialists to undertake technical evaluations to identify existing security vulnerabilities so that these can be remedied. This could include advance penetration testing and customised training. 
  • The ICO have recently fined Advanced Computer Software Group £3.07m for security failings that put nearly 80,0000 people's personal information at risk. The fine related to a ransomware incident where hackers had accessed NHS personal information via customer accounts that did not have multi-factor authentication in place. 

Lesson 2: Understand the types of personal data your business holds.

  • Do you know what personal data your business processes and who it relates to (i.e., clients, customers, employees etc)? In particular, do you hold any sensitive personal data like health information or data about an individual's sexuality or religion?  Businesses should undertake a tailored data audit to evaluate and identify this information.
  • Where personal data held is sensitive there is an obligation to implement more stringent security measures. The ICO are likely to impose even more severe penalties following a breach if sensitive personal data has been impacted. For example, in April 2025 the ICO fined a UK law firm £60,000 following a cyberattack that lead to highly sensitive and confidential personal information being published on the dark web. The ICO ruled that the firm had failed to implement appropriate technical measures to ensure the security of the sensitive personal data held electronically.

Lesson 3: Ensure you have effective data governance in place.

  • As well as identifying what data a business holds, it is important to understand where data is held and what purposes you process this data for. 
  • You must have confidence that your internal procedures are designed to keep data safe and escalate matters quickly if a breach occurs.
  • Having clear policies in place will help to equip your team to handle complex threats confidently. Your business is much more likely to come under intense ICO scrutiny following a data breach if data practices are generally poor.

Learning 4: Prepare your crisis response with an integrated approach.

  • Clear procedures will ensure there is a process for employees to follow, and that cyberattacks are escalated as soon as possible and responded to effectively. As part of your response, you will need to consider whether it is necessary to issue a public notice informing customers of the breach. If so, this should be actioned as soon as you are able to do so. The UK retailers most recently hit have been criticised for their delay in informing customers about the cyber incidents and the steps the organisations were taking to protect individuals and remedy the effects. Mishandling a breach can lead to huge reputational harm, erode customer confidence and irreparably damage your brand.
  • Many businesses choose to appoint internal or external communications specialists to assist them in planning for breach incidents by implementing a clear, transparent communication strategy. These specialists will need to work together with your legal team to ensure consistent communications.
  • It can also be helpful to have cyber security experts on standby so that you can address any technical weaknesses that gave rise to the breach and ensure full use of your systems as soon as possible. Cyberattacks regularly impact a business' ability to trade which can therefore impact revenues and shareholder confidence.

Learning 5: Respond to data breaches in compliant way.

  • The UK GDPR imposes a duty on all organisations to report certain personal data breaches to the ICO within 72 hours.  Having clear data privacy policies in place and ensuring employees are provided with regular training on these policies will increase the likelihood that data breaches are identified quickly and escalated in accordance with your internal procedures.
  • If a breach is likely to result in a high risk to individuals' privacy rights, then the business will also need to inform those individuals without undue delay. We advise obtaining specialist advice to recommend the best course of action following any data breach.

Foot Anstey's flagship BreachReddi service is designed specifically to assess and elevate a business' readiness for data breaches. By working with industry experts Rostrum and Integrity 360, we have developed an integrated and unique approach which covers cybersecurity, data governance and crisis communication, ensuring you are protected against cyberattacks and well placed to efficiently and effectively respond to such an incident should the worse occur. Please do get in touch to find out more.

Article provided by