Retail customers and businesses have always been key targets for data breaches. E-commerce and payment data are prime assets for data thieves. To add to the risk, AI is making it easier and faster for cybercriminals to launch phishing attacks and scams, and harder for companies to defend themselves. Cybersecurity for retail and AI is evolving more quickly than ever, and security leaders must keep up.

 

AI and Cybersecurity for Retail: Attack and Defense Overview

Retail companies and business owners that sell products and services are in the high-value business of people, payments, and personal data. Attackers have always targeted that sector heavily, and are using AI and other generative technologies to find faster, cheaper, and more effective ways to launch phishing attacks, set up automated scams, and hit retailers with ransomware or supply chain compromise. The retail industry is also facing increasing cybersecurity regulation and oversight in the United States and much of the world. In this report, we provide an overview of AI-related cybersecurity threats to retailers and their customers. We then discuss specific privacy and regulatory considerations for retail and e-commerce, including PCI DSS and related compliance. We also share practical, actionable advice about what retail and e-commerce companies need to know about AI and cybersecurity risk, data breach response, and managing cyber budget. Finally, we answer the question, How do retailers manage cyber risk with AI?

The increasing number and size of retail and e-commerce attacks mean the companies that are selling goods and services are in the crosshairs for cyber criminals. The reasons are simple and obvious. Retail and e-commerce data contain everything hackers need to steal identities, access financial accounts, and monetize via card fraud, reselling of personal data, or other activity. Retail attacks also cause major brand damage for companies, often require leadership changes or shake-ups, and create longer-term business risks due to regulatory scrutiny.

 

Retail Industry Cyber Security Risk and Challenges

Retail companies hold a gold mine of personal data, payment and card information, and — for those that sell prescription drugs or operate clinics or pharmacies — medical data. Attackers value that data both for the ease of monetization and the potential impact on companies that depend on consumer trust and engagement.

 

AI and Cyber Security for Retail: Attack and Defense Attack Details

Attackers have also been making increasing use of AI technologies to automate reconnaissance and phishing attacks in retail. Large language models, like OpenAI’s ChatGPT, are being used to write better-tailored, better-targeted phishing lures and other scams. Generative AI models are also used to create synthetic but convincing profile pictures for new account fraud.

Retailers are also exposed to risk due to vendors and other third parties that they may use for services like credit card processing, IT support, web hosting and cloud platforms, customer data and identity verification, or shopping cart and payment checkout support. Threat actors are using phishing to target the people working for these companies or targeting and compromising the third-party vendors and service providers themselves in order to attack the larger retail organizations. The targets and attack paths can be broader still, with both human targets and supply chain and third-party systems in scope. Attackers continue to use social engineering campaigns and business email compromise (BEC) scams to target human resources (HR) staff and accounts payable teams. In 2024 and into 2025, we are seeing an increase in phishing and BEC attacks targeting retailer supply chains and vendor finance teams to trick companies into sending funds or sensitive data to threat actors.

 

Attack Trends for Retail and E-commerce

E-commerce and retail are especially high-value targets for cyber criminals, and threat actors have repeatedly shown they are willing to take big risks for big payoffs. Attack patterns have evolved through a variety of common and well-known attack and breach types.

The e-commerce and retail sector is again showing strong signs of increased risk and attack activity. An analysis of 2025 breaches shows growth of over 13% in e-commerce and retail attacks as of mid-2025 versus the prior year period. Risks include ongoing breaches from established threat groups as well as BEC campaigns and other phishing and smishing attacks from a broader array of cybercriminals.

 

Retail Breaches and E-commerce Data Breaches: Trends and Examples

Large retailers, e-commerce platforms, and major brands in the consumer goods sector are experiencing notable breaches in 2025. In the 2025 Coupang breach, there were 56 reported incidents in retail and e-commerce as of June 2025, a 13% increase from the prior 12-month period. Many of these incidents involve ongoing or established threat group activity where data was stolen and exfiltrated, but not actively used or exploited. Threat groups like Lapsus$, Groove, Carbanak and FIN7, Clop, SpiderSilk, Conti, Wizard Spider, FIN6, and group-IB are all continuing to work and attack. Other breaches and incidents reported in 2025 involved BEC attacks from a broader set of cybercriminals.

 

Recent Retail Breaches and E-commerce Data Breaches

  • BigCommerce (October 2025)
  • Range (July 2025)
  • Danone (March 2025)
  • Uber Eats France (February 2025)

The Coupang data breach, in which the threat actors accessed tens of millions of customer and transaction records, is also a stark reminder that there are far more data breaches than the ones in the news, and the “long tail” of ransomware and attack-related activity often goes unreported. Furthermore, as seen in breaches of retail services providers like Range, BigCommerce, and others in 2025, e-commerce platforms are in the high-value business of hosting retailer data as well as being major attack targets themselves.

 

AI Changes the Threat Landscape for Retailers

Retailers should be aware of the following threat vectors and emerging AI trends for attack and defense:

AI-Powered Phishing and Social Engineering. Generative AI is helping cybercriminals write more personalized and compelling phishing emails, fake support agent lures, and realistic online listings and customer profiles. AI is also being used for synthesized speech and videos in scams.

Deepfake-Driven Fraud. Deepfake voice and video impersonation has already been used for multi-million dollar frauds, including against retailers, where employees have been tricked into processing payments or shipments. That technique is now in reach for criminals targeting retail finance or supply chain teams.

AI Automation of Vulnerability Discovery and Exploit Code Generation. Attackers can use AI to automate reconnaissance and find weak configurations in cloud storefronts or supply chain components, as well as to generate code for exploits. Attackers are then able to move laterally across environments and identify and access new data and systems more quickly.

Fraud at Scale. Retailers should also be prepared for automated account creation and fraud at scale using AI to generate fake accounts and profiles, fake reviews and other customer content, and synthetic identities and bot fraud against loyalty program or other automated payment schemes and promotions.

 

 

Key Regulatory and Privacy Considerations for Retail and E-commerce

Retailers must manage data security standards for payments, state and national privacy laws, and sectoral laws and regulations where retail activities touch protected health data or data in the health sector.

Payment data and PCI DSS. PCI DSS requirements and controls around the handling of cardholder data are foundational for protecting customer payment card data and for merchant or retailer liability mitigation. For companies that accept and process card payments, PCI remains important and core to data breach response.

State Privacy Laws and Enforcement. A growing number of US states now have privacy laws that require companies to give customers certain rights over their data and restrict companies over their use, sale, and sharing. California’s CCPA and successor CRPA/CPRA legislation and enforcement are among the most high-profile and relevant for larger retailers operating in California.

Federal Enforcement and Consumer Protection Law. The Federal Trade Commission (FTC) has a long history of actions against retailers for data security or deceptive practices, including where privacy promises are made but not implemented.

HIPAA When Health Data Is Involved. Retailers that operate pharmacies, clinics, or have wellness programs that touch health information may be covered entities or business associates under HIPAA and need to implement controls for HIPAA compliance where appropriate. Review your HIPAA status and breach reporting obligations.

Corporate Disclosure and Governance Expectations Around Cyber and AI. Boards, investors, and regulators are increasingly expecting companies to publicly disclose their cyber and AI risk governance practices. Boards should be prepared to show their cyber risk and AI usage oversight, and poor governance can become a legal and regulatory liability in shareholder suits or regulatory actions.

 

 

Retail and E-commerce: Practical Cybersecurity Steps to Take Now

Retailers can take a number of steps, including some near-term, practical actions and processes to shore up their data security and breach readiness.

  1. Treat AI Risk as Part of Threat Model. Threat actors are including AI-enabled phishing, BEC, and social engineering, deepfake, and other identity fraud and phishing. Add the techniques and scenarios to red team or tabletop exercises.
  2. Harden Customer Identity Verification Flows and Loyalty Programs. Multi-factor authentication (MFA), behavior analytics, device fingerprinting, and additional onboarding checks can help reduce synthetic identity fraud and automated account creation. This type of fraud is expensive and also targets loyalty and promotions programs.
  3. Secure the Payment Chain and Validate PCI Controls. Payment cards and associated PCI DSS controls remain important and core. PCI compliance and regular vulnerability management are key to managing payment data security and breach exposure and are a top priority for auditors and compliance leaders.
  4. Secure Health Information Where Applicable. For retailers that collect and store any health information or provide medical or pharmacy services, take the time to confirm HIPAA status and then implement HIPAA Security Rule technical and procedural controls.
  5. Train Staff on Deepfake and AI Scams. Train finance, supply chain, and customer support teams not to trust voice or video as proof of identity without secondary, policy-approved verification steps.
  6. Invest in Detection and Shorten Dwell Times. Tools such as EDR, XDR, and other attack surface and cloud posture management and logging aggregation can help spot anomalies and potential intrusions faster. The time between an initial intrusion and discovery matters. Recent high-profile retail breaches show that companies that have longer dwell times suffer much more damage.
  7. Update Incident Response Plans to Include AI-Enabled Events. Ensure that response playbooks include legal, communications, and regulator notification response considerations for an AI-augmented attack like synthetic identity fraud or deepfake extortion. Regularly practice breach notification timeframes as required by state laws and sectoral rules.

 

Prioritizing a Limited Cyber Budget

The key steps that apply to all companies in limited budget situations apply here, but with a few retail- and e-commerce-specific notes:

  1. Pay special attention to the protection of payment and identity systems first. These assets and associated data are the most targeted and often the most subject to legal obligations.
  2. Minimize and segment data. Reduce data exposure through minimization and segmentation. Fewer copies of high-value data is less risk and less to manage for compliance.
  3. Detection over prevention. Focus more of the budget on detection and response, not just prevention.

 

Cybersecurity for Retail: How Retailers Can Manage Risk with AI

Retail security in an AI economy is changing fast. Attackers are using AI to automate reconnaissance, write more convincing phishing and social engineering lures, and use deepfakes to create synthetic identities for larger attacks. AI is also allowing cybercriminals to launch more attacks at scale.

Retailers need to think about using AI to automate data security, threat monitoring, testing, and breach response, while still maintaining traditional technical and procedural safeguards. That includes PCI compliance for payment data where relevant, HIPAA controls where necessary, and a data security approach around detection and response.

Retailers should also be aware that regulators are looking closely and starting to enforce both security and privacy practices that impact customer data.

Retail security leaders need to combine traditional data security measures with AI-aware threat modeling and risk analysis, including more robust identity and access security, privacy maturity, and incident response readiness that accounts for faster, more sophisticated, AI-generated attacks.

To successfully approach managing risk in the age of AI, retailers should incorporate reasonable security into their risk strategy.

 

Establish reasonable security through duty of care.

With HALOCK, organizations can establish a legally defensible security and risk program through Duty of Care Risk Analysis (DoCRA). This balanced approach provides a methodology to achieve reasonable security as the regulations require.

 

Review Your Security and Risk Posture

 

References and Sources

Deloitte Cyber Threat Trends Report 2025

McAfee 2025 Cyber Threat Trends Report

PCI Security Standards overview and document library

California privacy resources (CCPA/CPRA) and CPPA enforcement examples. 
OCR HHS breach portal and HIPAA breach reporting trends. 

Norton and other reporting on AI fraud and deepfakes trends in 2024–2025