06 October 2025

Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University

In the space of just a few weeks, many high street and online retailers were impacted by serious cyber incidents that disrupted their business-critical services earlier this year. Ecommerce platforms were knocked offline and physical payments systems were temporarily unavailable. These incidents were a harsh reminder of how vulnerable retailers are when their networks are so closely tied to third-party suppliers and service providers.

Why attackers target the supply chain

The retail sector’s reliance on external vendors for services like payment processing, logistics, customer analytics and marketing has created new entry points for attackers. These partners are often granted access to sensitive systems or customer data but may not maintain the same level of cybersecurity maturity as the retailers themselves, leaving a weak link in the supply chain. Smaller retailers are especially exposed, as limited cybersecurity resources can make them easier targets for attack.
Regardless of size, once third-party vendors are given access, it takes just one compromise to put an entire network at risk. The 2013 Target incident is still one of the most cited examples of third-party risk, where attackers used stolen credentials from an external HVAC vendor to gain entry to the network, exposing more than 41 million credit card records.

Today, cybercriminals are still exploiting these gaps, targeting weak vendor access points, remote connections and cloud integrations as convenient gateways into larger and better-protected organisations. The ongoing shift towards cloud-based services and SaaS platforms has also increased the attack surface.

On top of supply chain weaknesses, the data retailers hold – from payment details to loyalty scheme information to customer records – makes them attractive, lucrative targets. Regulators add to the pressure by holding the primary business accountable for breaches, even if they originate with a partner. Under GDPR, for instance, brands remain responsible, which means retailers will need to get a handle on third-party risk or face significant reputational and financial damage.

Defending retail networks

Retailers need a layered approach to security, covering people, processes and technology. This starts with re-evaluating the vendor selection process to make sure all partners follow recognised standards like ISO 27001, SOC 2 or PCI DSS. Security requirements and breach reporting obligations should be written clearly in contracts and SLAs from the outset.

Once relationships are in place, tighter access controls are needed. A Zero Trust model ensures that third parties only have access to the data and systems they genuinely need. Multi-factor authentication (MFA) should also be enforced across all third-party connections. The Snowflake breach in 2024, which took advantage of single-factor authentication, is a good example of how dangerous weak access protocols can be.

Network segmentation is an important safeguard, adding an extra layer of protection by isolating critical systems such as PoS terminals and customer databases. By keeping these areas separate, any compromise can be contained before it spreads. In fact, many of the most damaging breaches in recent years could have been reduced had this been in place.

However, segmentation alone is not enough. Modern retailers operate in an environment where threats advance quickly and supply chains are constantly shifting, which makes continuous monitoring vital. Tools that can detect unusual behaviour across third-party connections provide early warning of suspicious activity and give security teams the chance to intervene before small issues escalate into major incidents. Additionally, cyber insurance policies should be reviewed carefully to ensure they cover breaches involving third-party vendors, as not all of them do.

Lastly, people within the organsiation play an important role too. Staff need to be trained to recognise warning signs and incident response plans should be tested regularly with vendor-related scenarios included. No defence is flawless, but the ability to act quickly and decisively can make all the difference.

Looking ahead

In time, third-party breaches will become more frequent and more sophisticated. Attackers are already using AI to spot vulnerabilities faster, scan for weaknesses at scale and automate parts of an attack. This makes it easier to exploit even the smallest gaps in a retailer’s digital supply chain.

Regulators may also tighten enforcement of laws such as GDPR, with heavier fines for organisations that fall short on third-party risk management. For retailers, that means treating vendor security as part of their own and rethinking how they work with partners, with greater emphasis on transparency, ongoing risk assessments and recognised certifications. At the same time, demand for automated third-party risk management platforms is expected to grow, giving retailers real-time visibility across their supply chains.

Some may adopt secure-by-design practices to limit reliance on suppliers for sensitive data, while others could bring security into development cycles earlier through DevSecOps and continuous penetration testing.

Attackers are very opportunistic and will always hunt for weaknesses among third-party vendors, cloud platforms and other outsourced providers. Rather than backing away from these important relationships, retailers should focus on raising the standard of security across every connection.

With greater accountability, stronger governance and tighter control across the ecosystem, this shift should be seen as a positive step for the sector and its customers.