UK Retail Data Breaches 2023–2024: Key Cases and What They Reveal
UK retail continues to generate a steady stream of data breach incidents — card skimming attacks on e-commerce sites, ransomware attacks on trading systems, supply chain compromises through technology providers, and insider data theft. Understanding the actual pattern of retail breaches — their causes, their consequences, and the regulatory response — is the most direct route to prevention.
UK retail reported 1,340 personal data breach incidents to the ICO in 2023 — a 23% increase on 2022, with cyber-enabled breaches accounting for the majority of significant incidents.
Major UK Retail Cyber Incidents 2023–2024
Notable UK retail cyber incidents in 2023–2024 included: a major UK supermarket loyalty platform breach that exposed 800,000 customer records through an API misconfiguration (attackers could query customer data by incrementing a predictable identifier in the API endpoint — a basic access control failure); a fashion retailer ransomware attack during the Christmas trading period that took EPOS and e-commerce systems offline for four days; multiple Magecart infections on UK e-commerce sites running outdated Magento versions (security researchers identified over 200 UK retail sites simultaneously infected with the same card-skimming code); and a retail technology provider breach that affected multiple UK retailers' loyalty scheme data simultaneously — a supply chain attack affecting clients who had not assessed their supplier's security posture.
ICO Enforcement in UK Retail 2023–2024
The ICO's enforcement actions in UK retail during 2023–2024 included: a monetary penalty for a retail loyalty programme that shared customer data with a data broker without adequate disclosure or consent; enforcement notices for retailers that failed to respond to subject access requests within the statutory 30-day period; reprimands for retailers that suffered data breaches through inadequate security measures (specifically cited: absence of MFA, failure to apply critical patches to e-commerce platforms within reasonable timescales, and inadequate third-party data processor contractual controls). The ICO has signalled particular focus on retail marketing practices and the lawfulness of data sharing with third-party advertising and analytics platforms — retailers with complex marketing technology stacks should review their data flows and consent mechanisms.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.