NEW YORK (AP) — A string of recent cyberattacks and data breaches involving the systems of major retailers have started affecting shoppers.
United Natural Foods, a wholesale distributor that supplies Whole Foods and other grocers, said this week that a breach of its systems was disrupting its ability to fulfill orders — leaving many stores without certain items.
In the U.K., consumers could not order from the website of Marks & Spencer for more than six weeks — and found fewer in-store options after hackers targeted the British clothing, home goods and food retailer. A cyberattack on Co-op, a U.K. grocery chain, also led to empty shelves in some stores.
Cyberattacks have been on the rise across industries. But infiltrations of corporate technology carry their own set of implications when the target is a consumer-facing business.
Beyond potentially halting sales of physical goods, breaches can expose customers’ personal data to future phishing or fraud attempts.
Here’s what you need to know.
Cyberattacks are on the rise overall
Despite ongoing efforts from organizations to boost their cybersecurity defenses, experts note that cyberattacks continue to increase across the board.
In the past year, there’s also been an “uptick in the retail victims” of such attacks, said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, a U.S. nonprofit.
“Cyber criminals are moving a little quicker than we are in terms of securing our systems,” he said.
Ransomware attacks — in which hackers demand a hefty payment to restore hacked systems — account for a growing share of cyber crimes, experts note. And of course, retail isn’t the only affected sector. Tracking by NCC Group, a global cybersecurity and software escrow firm, showed that industrial businesses were most often targeted for ransomware attacks in April, followed by companies in the “consumer discretionary” sector.
Attackers know there’s a particular impact when going after well-known brands and products that shoppers buy or need every day, experts note.
“Creating that chaos and that panic with consumers puts pressure on the retailer,” Steinhauer said, especially if there’s a ransom demand involved.
Ade Clewlow, an associate director and senior adviser at the NCC Group, points specifically to food supply chain disruptions. Following the cyberattacks targeting M&S and Co-op, for example, supermarkets in remote areas of the U.K., where inventory already was strained, saw product shortages.
“People were literally going without the basics,” Clewlow said.
Personal data is also at risk
Along with impacting business operations, cyber breaches may compromise customer data. The information can range from names and email addresses, to more sensitive data like credit card numbers, depending on the scope of the breach. Consumers therefore need to stay alert, according to experts.
“If (consumers have) given their personal information to these retailers, then they just have to be on their guard. Not just immediately, but really going forward,” Clewlow said, noting that recipients of the data may try to commit fraud “downstream.”
Fraudsters might send look-alike emails asking a retailer’s account holders to change their passwords or promising fake promotions to get customers to click on a sketchy link. A good rule of thumb is to pause before opening anything and to visit the company’s recognized website or call an official customer service hotline to verify the email, experts say.
It’s also best not to reuse the same passwords across multiple websites — because if one platform is breached, that login information could be used to get into other accounts, through a tactic known as “credential stuffing.” Steinhauer adds that using multifactor authentication, when available, and freezing your credit are also useful for added lines of defense.
Which companies have reported recent cybersecurity incidents?
A range of consumer-facing companies have reported cybersecurity incidents recently — including breaches that have caused some businesses to halt operations.
United Natural Foods, a major distributor for Whole Foods and other grocers across North America, took some of its systems offline after discovering “unauthorized activity” on June 5.
In a securities filing, the company said the incident had impacted its “ability to fulfill and distribute customer orders.” United Natural Foods said in a Wednesday update that it was “working steadily” to gradually restore the services.
Still, that’s meant leaner supplies of certain items this week. A Whole Foods spokesperson told The Associated Press via email that it was working to restock shelves as soon as possible. The Amazon-owned grocer’s partnership with United Natural Foods currently runs through May 2032.
Meanwhile, a security breach detected by Victoria’s Secret last month led the popular lingerie seller to shut down its U.S. shopping site for nearly four days, as well as to halt some in-store services. Victoria’s Secret later disclosed that its corporate systems also were affected, too, causing the company to delay the release of its first quarter earnings.
Several British retailers — M&S, Harrods and Co-op — have all pointed to impacts of recent cyberattacks. The attack targeting M&S, which was first reported around Easter weekend, stopped it from processing online orders and also emptied some store shelves.
The company estimated last month that the it would incur costs of 300 million pounds ($400 million) from the attack. But progress towards recovery was shared Tuesday, when M&S announced that some of its online order operations were back — with more set to be added in the coming weeks.
Other breaches exposed customer data, with brands like Adidas, The North Face and reportedly Cartier all disclosing that some contact information was compromised recently.
In a statement, The North Face said it discovered a “small-scale credential stuffing attack” on its website in April. The company reported that no credit card data was compromised and said the incident, which impacted 1,500 consumers, was “quickly contained.”
Meanwhile, Adidas disclosed last month that an “unauthorized external party” obtained some data, which was mostly contact information, through a third-party customer service provider.
Whether or not the incidents are connected is unknown. Experts like Steinhauer note that hackers sometimes target a piece of software used by many different companies and organizations. But the range of tactics used could indicate the involvement of different groups.
Companies’ language around cyberattacks and security breaches also varies — and may depend on what they know when. But many don’t immediately or publicly specify whether ransomware was involved.
Still, Steinhauer says the likelihood of ransomware attacks is “pretty high” in today’s cybersecurity landscape — and key indicators can include businesses taking their systems offline or delaying financial reporting.
Overall, experts say it’s important to build up “cyber hygiene” defenses and preparations across organizations.
“Cyber is a business risk, and it needs to be treated that way,” Clewlow said.
