Retail Cybersecurity Statistics for 2026: Breach Costs, Ransomware, Magecart, and Bot Attacks

Retail spent 2025 absorbing one of the worst cybercrime waves in its history. Ransomware appeared in 44% of all confirmed breaches analyzed by the Verizon 2025 Data Breach Investigations Report, up from 32% the year prior. In the UK alone, ransomware attacks on Marks & Spencer, Co-op, and Harrods carry a combined financial impact estimated at £270 million to £440 million by the UK Cyber Monitoring Centre. Commerce remained the single most attacked industry online, with retail accounting for 62% of attacks on the sector according to Akamai. And bots, increasingly AI-driven, now generate 39% of traffic to online retail, per the Imperva 2025 Bad Bot Report. These are the retail cybersecurity statistics IT, security, and loss-prevention leaders need to know in 2026.

Key retail cybersecurity statistics at a glance

• 44% of all confirmed data breaches in 2025 involved ransomware, up from 32% in 2024, per the Verizon 2025 DBIR. Retail sits among the persistently targeted industries.
• 58% of retailers hit by ransomware paid to recover their data in 2025, per Sophos State of Ransomware in Retail 2025. The median retail ransom demand doubled year over year to $2 million.
• £270M to £440M is the estimated combined financial impact of the M&S and Co-op cyberattacks, classified as a Category 2 systemic event by the UK Cyber Monitoring Centre, with M&S alone forecasting a £300 million hit to its 2025/26 profits.
• Commerce is the #1 attacked vertical online, and retail accounts for 62% of attacks on it, with web attacks against commerce up 33% year over year, per Akamai.
• 64% of all bot attacks on the retail sector targeted API business logic in 2025, per the Imperva 2025 Bad Bot Report, and 39% of bad bot traffic landed on online retail.
• 22% of all 2025 breaches started with credential abuse and 34% involved exploitation of vulnerabilities, with third-party involvement doubling to 30%, per the Verizon 2025 DBIR.
• $199 million in U.S. consumer losses were tied to gift card fraud in the first three quarters of 2025, up from $158 million the year prior, per the FTC Consumer Sentinel Network data book.

$4.44 million was the global average cost of a data breach in 2025, with retail among the sectors that bucked the downward trend and saw costs rise, per the IBM 2025 Cost of a Data Breach Report.

Ransomware is the defining retail threat of 2025 and 2026

Ransomware was the single biggest story in retail cybersecurity over the past 18 months. The Verizon 2025 Data Breach Investigations Report analyzed 22,052 incidents and 12,195 confirmed breaches across 139 countries and found ransomware in 44% of all confirmed breaches, up sharply from 32% the year before. Persistent threats to education, financial services, and retail were flagged as a top concern. Retail also weathered roughly a 15% increase in cyber incidents year over year, with attackers pivoting from payment card data toward easier targets like customer credentials and operational data.

The retail-specific picture from Sophos State of Ransomware in Retail 2025 adds more detail. Of retailers hit by ransomware in 2025, 58% paid the ransom, well above the cross-industry average. The median ransom demand doubled to $2 million from $1 million in 2024, and the share of demands above $5 million grew from 17% to 27%. The mean cost of recovery, excluding any ransom paid, was $1.65 million per attack, a 40% year-over-year drop that Sophos attributes to better playbooks and faster restoration. Encryption rates fell to their lowest level in five years (48% of attacks resulted in encryption, down from a peak of 71% in 2023), while extortion-only attacks tripled from 2% to 6% as attackers leaned on data theft instead of file locking.

Causation looks remarkably mundane. Per Sophos, 46% of retail ransomware victims blamed unknown security gaps and 45% blamed a lack of in-house expertise, the highest expertise gap recorded in any surveyed sector. The retail sector is still running on lean security teams compared with financial services or healthcare, and ransomware affiliates know it.

M&S, Co-op, and Harrods: the case studies that defined retail risk in 2025

The 2025 attacks on three British retail giants illustrated how quickly ransomware can move from IT problem to capital-markets event. The UK Cyber Monitoring Centre classified the combined M&S and Co-op incidents as a Category 2 systemic cyber event, with estimated financial impact between £270 million and £440 million. Marks & Spencer alone has forecast a £300 million hit to operating profit in 2025/26, lost roughly £1.3 million per day in online sales during the outage, and saw consumer spending drop 22%. Co-op, attacked at almost the same time, had data on all 6.5 million of its members compromised and an estimated £206 million in lost sales. Harrods was hit twice, with a September 2025 third-party breach exposing roughly 430,000 customer records.

The threat actor pattern matters. The Verizon 2025 DBIR shows third-party involvement in breaches doubling to 30% in 2025, and exploitation of vulnerabilities surging 34%. The M&S, Co-op, and Harrods attacks fit both patterns: social engineering against IT helpdesks gave attackers initial access, and a third-party provider was the route into Harrods. Credential abuse drove 22% of all 2025 breaches and stolen credentials drove 88% of basic web application attacks, per the same Verizon report. Retail, with thousands of seasonal employees and high helpdesk volumes, is uniquely exposed to credential-led intrusions.

Magecart, web skimming, and the PCI DSS 4.0 response

Payment card skimming on e-commerce checkout pages, the family of attacks known collectively as Magecart, remained one of the most persistent threats to online retail in 2025 and 2026. The PCI Security Standards Council responded by making two new requirements mandatory in PCI DSS 4.0.1 as of March 31, 2025. Requirement 6.4.3 requires that all payment page scripts be authorized, integrity-checked, and inventoried, and requirement 11.6.1 mandates a change- and tamper-detection mechanism that alerts personnel to unauthorized payment-page changes at least weekly. Both apply in full to merchants that validate via SAQ A-EP or SAQ D, which covers most retailers that touch a checkout page on their own infrastructure.

The pressure that drove those requirements is visible in attack data. The Imperva 2025 Bad Bot Report notes that financial services, healthcare, and e-commerce are the most affected sectors for automated attacks because they rely on APIs for critical operations and sensitive transactions. The same report shows that 64% of all bot attacks on the retail sector in 2025 targeted API business logic, which is exactly the surface that script-based skimming abuses. Retailers that have not implemented client-side script monitoring are still discovering Magecart infections months after attackers planted the loader.

Bots, account takeover, and the AI-driven traffic surge

Automated abuse is the second-largest line item on most retail security budgets after ransomware. The Imperva 2025 Bad Bot Report found that automated bot traffic, both good and bad, now exceeds human traffic on the open internet for the first time. Bad bot traffic alone makes up 37% of total web traffic, up from 32% in 2023, and 39% of bad bot traffic to online retail was recorded in 2025. Account takeover attempts jumped roughly 40% year over year, and 14% of all logins were takeover attempts. AI-driven bots that mimic human behavior more convincingly are the main reason retailers are losing the cat-and-mouse game with simple CAPTCHA defenses.

API targeting is the most worrying shift. Per the same Imperva report, 64% of all bot attacks on the retail sector targeted API business logic in 2025, and 44% of advanced bot traffic targeted APIs across industries in 2024. Retail APIs back loyalty programs, checkout, inventory lookups, and product catalogs, all of which are valuable to scrapers, gray-market resellers, and credential stuffing operators. The wider Akamai data backs this up: per Akamai, API attacks rose 113% year over year and DDoS incidents rose 104% in 2025, and 87% of organizations surveyed reported at least one API security incident during the year.

Holiday season is still the highest-risk window for retailers

Retail attack patterns continue to peak around the U.S. and U.K. winter shopping window. Per Akamai, commerce was the most targeted industry across 2025, drawing nearly three times the web attacks of the next-closest sector (high technology), and retail was the most targeted subvertical within it at 62% of attacks. The Akamai research highlights that holiday traffic spikes give attackers cover: DDoS, credential stuffing, gift card enumeration, and scraping all blend into legitimate seasonal volume, which delays detection.

The FTC Consumer Sentinel Network 2024 Data Book, released in 2025, frames the consumer side of the same trend. Americans filed more than 2.6 million fraud reports in 2024 with $12.5 billion in reported losses, a 25% rise over 2023. Gift cards were the most commonly reported payment method for scams, and U.S. consumer losses tied to gift card fraud reached $198.8 million in the first three quarters of 2025, up from $158.4 million in the same window of 2024. Target gift cards led the brand-level rankings, with victims reporting an average of $2,500 in losses.

Breach economics: retail among the sectors where breach costs are still rising

Even as the global average data breach cost fell, retail did not get the break. Per the IBM 2025 Cost of a Data Breach Report, the global average cost of a data breach in 2025 was $4.44 million, down 9% from $4.88 million the prior year, with U.S. companies averaging $10.22 million per breach. IBM noted that retail was one of the sectors that bucked the downward trend and saw breach costs rise, alongside entertainment, media, hospitality, education, research, and public sector. The mean time to identify and contain a breach dropped to 241 days, the lowest in nine years, but retail breaches that involved third parties and phishing-based intrusions ran longer and more expensive than the median.

The 2025 IBM analysis of AI risk identifies a new cost driver retailers should plan for: shadow AI inside the organization. Companies that had ungoverned AI tooling paid roughly $670,000 more per breach on average. Retail brands have rushed AI-powered product search, personalization, and customer service agents into production over the last 18 months, often ahead of governance policies, which puts a fresh control gap into the breach math.

Emerging retail cybersecurity trends in 2026

Third-party and supply chain risk is now the central retail exposure. Per the Verizon 2025 DBIR, third-party involvement in breaches doubled to 30% in 2025. The Harrods second incident and the broader pattern across U.K. retail show that vendor compromise is now the most common path into the customer database, not direct attacks on the retailer.

Identity, not the firewall, is the retail perimeter. Credential abuse drove 22% of all 2025 breaches and stolen credentials drove 88% of basic web application attacks, per Verizon. Retailers with thousands of seasonal employees rotating through point-of-sale, warehouse, and helpdesk roles are the highest-risk identity environments in any industry.

PCI DSS 4.0.1 enforcement is forcing client-side script governance. Per the PCI Security Standards Council, requirements 6.4.3 and 11.6.1 became mandatory in March 2025. Magecart-style skimming is now a documented control failure, not a theoretical one, which means assessor scrutiny on payment page integrity is rising.

AI-driven bots are turning every retail API into an attack surface. Per the Imperva 2025 Bad Bot Report, 64% of bot attacks on retail in 2025 targeted API business logic, account takeover attempts rose roughly 40%, and AI-mimicking bots are evading the CAPTCHA and rate-limit defenses that worked five years ago.

Ransom payment rates are climbing in retail even as encryption falls. Per Sophos, 58% of attacked retailers paid in 2025, the median demand doubled to $2 million, and extortion-only attacks tripled. The economic incentive for attackers to keep targeting retail is rising, not falling.

Shadow AI is the new cost line on retail breach math. Per the IBM 2025 Cost of a Data Breach Report, breaches involving ungoverned AI added roughly $670,000 per incident. Retail, which has rolled out AI in customer service, search, and personalization faster than most sectors, has the most upside in tightening that governance gap.

For broader context on the trends above, see our data breach statistics and phishing statistics roundups.

How swif.ai helps

swif.ai gives IT and security teams a single console to enforce device, identity, and compliance controls across the macOS, Windows, and Linux endpoints behind the numbers above. Explore swif.ai mobile device management to see how it works.