Lessons Learned from Cybersecurity Breaches in Retail

Over the past five years, retailers have faced some of the most disruptive cyberattacks in any industry. From credential-stuffing campaigns and ransomware shutdowns to cloud misconfigurations and supply chain outages, breaches at SHEIN, Neiman Marcus, GUESS, Hot Topic, Etsy, Marks & Spencer, UNFI, Victoria’s Secret, Adidas, and The North Face highlight the unique challenges of protecting a highly visible, consumer-driven sector.

Why Retail Keeps Getting Hit

Retail is a prime target for cybercriminals. The industry runs on complex supply chains, high volumes of customer data, and consumer-facing websites that must be available 24/7. When something goes wrong, the impact is immediate and very public: empty shelves, stalled websites, delayed shipments, or stolen customer accounts.

Reports like the 2025 Verizon DBIR confirm the pattern:

• 93% of retail breaches stem from system intrusion, social engineering, or basic web application attacks
• Third-party involvement doubled year over year
• Credential abuse remains one of the most common attack vectors

In other words: attackers don’t need to invent new tricks. They just exploit the same weak points retailers have struggled with for years.

Major Cybersecurity Breaches in Retail (2020-2025)

SHEIN / Zoetop

What happened?

Parent company Zoetop suffered a breach exposing emails and passwords for millions of customers across SHEIN and ROMWE. Worse, regulators found the company delayed notification and downplayed the scope. In 2022, New York’s Attorney General fined Zoetop $1.9M for failing to protect customer data and properly disclose the incident.

Lesson for retailers:

• Credential-stuffing is inevitable when millions of user/password combos are stolen. Protect accounts with MFA, passkeys, and bot detection.
• Build a communication playbook for rapid customer notification. Regulators won’t accept delay or vagueness.

Neiman Marcus

What happened?

4.6M customers were impacted when attackers infiltrated Neiman Marcus’ systems and accessed payment card details, gift card numbers, and personal information. About 3.1M cards were exposed though most were expired.

Lesson for retailers:

• PCI compliance is only the baseline. Use tokenization and vaulting to minimize exposure of payment data.
• Continuously monitor checkout flows and 3rd-party scripts for anomalies.

GUESS

What happened?

In early 2021, GUESS confirmed a ransomware attack that resulted in stolen customer data, including Social Security numbers and driver’s license info. Attackers not only encrypted systems but also exfiltrated sensitive files—a hallmark of today’s double-extortion campaigns.

Lesson for retailers:

• Ransomware is about data theft as much as downtime.
• Segment critical systems and back up sensitive data offline.
• Include legal, PR, and customer care in ransomware response planning.

Hot Topic

What happened?

Hot Topic experienced repeated credential-stuffing attacks on customer accounts in 2023 and 2024. By late 2024, researchers reported a dataset of ~57M Hot Topic records for sale online, allegedly including emails, addresses, and partial payment info.

Lesson for retailers:

• Protect against account takeover with ATO defenses: device fingerprinting, anomaly detection, and risk-based login challenges.
• Reduce exposure with data minimization. The less PII stored, the less damage if it’s stolen.

Etsy + Marketplace Partners

What happened?

In 2025, researchers uncovered 1.6M customer files exposed through misconfigured Microsoft Azure Blob containers tied to Etsy, TikTok Shop, and Poshmark. Data included order confirmations with names, addresses, and emails. Customers blamed Etsy even though the exposure originated in a third-party vendor’s environment.

Lesson for retailers:

• You’re accountable for your vendors’ mistakes. Audit cloud configurations, both yours and theirs.
• Require encryption, logging, and access controls for all third-party environments.

Marks & Spencer

What happened?

A ransomware attack forced Marks & Spencer to suspend online clothing and home orders for nearly six weeks in spring 2025. The retailer reverted to manual processes, and analysts estimated a £300M profit hit plus over £1B in market value losses. Full restoration took until August.

Lesson for retailers:

• Business continuity is security. Downtime in retail equals lost sales and damaged brand trust.
• Rehearse ransomware response with store ops, finance, and supply chain teams, not just IT.

United Natural Foods (UNFI)

What happened?

On June 5, 2025, UNFI detected unauthorized access and took systems offline, disrupting orders to Whole Foods and other grocers. By late June, core systems were restored, but the damage was already done: shelves went empty and retailers scrambled.

Lesson for retailers:

• Your distributor’s breach is your breach. Build supplier security into contracts with IR SLAs.
• Test manual ordering and backup logistics.

Victoria’s Secret

What happened?

In June 2025, Victoria’s Secret shut down its U.S. e-commerce site and in-store services for nearly four days after detecting a cyberattack. The disruption forced the company to delay its Q1 earnings release, highlighting the financial impact of operational downtime.

Lesson for retailers:

• Cyber incidents impact financial reporting and investor confidence.
• Build IR plans that include PR, investor relations, and compliance.

Adidas

What happened?

In 2025, Adidas confirmed attackers attempted credential-stuffing against customer portals, with a focus on loyalty program accounts. Even though scope was limited, the incident showed how valuable loyalty points and stored customer data are to cybercriminals.

Lesson for retailers:

• Treat loyalty programs like payment systems—protect them with MFA, passkeys, and risk-based login checks.
• Monitor for credential reuse attacks and automate resets.

The North Face

What happened?

The North Face disclosed that 1,500+ customer accounts were compromised through credential-stuffing, exposing emails, addresses, and order history. Attackers exploited widespread password reuse.

Lesson for retailers:

• Deploy bot protections and anomaly detection on logins.
• Store only essential PII in customer accounts.

The Common Threads in Retail Cybersecurity Breaches

Looking across five years of cybersecurity breaches in retail, the same themes repeat:

• Identity is the weak link. Credential-stuffing, reused passwords, and infostealer data drive retail breaches.
• Ransomware equals downtime. GUESS, M&S, and Victoria’s Secret show that outages cripple revenue.
• Third-party risk is real. UNFI and Etsy show how vendor missteps quickly become your problem.
• Data minimization works. Hot Topic and Neiman Marcus demonstrate the danger of storing excess PII.
• Disclosure discipline matters. SHEIN proved regulators punish delays and weak response plans.

How ArmorPoint Managed SOC Can Help Retailers

With ArmorPoint’s Managed SOC services, retailers gain the confidence that their operations and customer trust are protected around the clock. Continuous monitoring and enriched threat intelligence mean threats like ransomware and account takeover attempts are stopped before they disrupt sales. Built-in visibility across supply chains and cloud environments reduces third-party and misconfiguration risks, while proven playbooks help teams recover quickly when incidents occur. Scalable by design, ArmorPoint empowers both large retailers and fast-growing e-commerce brands to minimize downtime, safeguard customer data, and maintain the seamless shopping experience buyers expect.

Conclusion

From Macy’s and Neiman Marcus to M&S and UNFI, the last five years have proven that retail cybersecurity is business resilience. Whether it’s protecting customer accounts, keeping e-commerce websites online, or ensuring grocery deliveries stay on schedule, security failures directly impact revenue and trust.

Ready to get the visibility, intelligence, and always-on protection you need to keep operations running and customers confident? Request a demo today.