As online retailers embrace artificial intelligence-powered innovations and new e-commerce tools in pursuit of growth, they’re also opening the door to a rising wave of cyber threats. In Q3 2024 alone, cyber attacks surged 75 percent year-over-year and rose 15 percent from the previous quarter.
From new AI-driven attack vectors to identity and supply chain risks, these evolving threats are chipping away at the trust retailers have worked hard to earn. With customer data and operations increasingly under attack, robust cybersecurity has become a critical component of online retail success. Staying ahead of these dangers isn’t just about protecting systems — it’s about safeguarding the loyalty and confidence that are essential for long-term growth in today’s competitive market.
AI Exploitation: A Double-Edged Sword
Retail is transforming with the help of generative AI, but that same innovation comes with serious risks. AI is now used for everything from chatbots to personalized shopping experiences, but attackers are finding ways to exploit these systems.The question retailers must ask is: Are they ready for the cyber threats that could undermine their hard-earned trust?
One of the scariest risks is the manipulation of AI models. Retailers are relying more on AI-driven tools, but those tools are also being targeted at the same speed. For example, Neiman Marcus faced a breach when attackers exploited a compromised chatbot to access its Snowflake-operated cloud database lacking multifactor authentication, exposing sensitive information of over 64,000 customers. In another case, a hacker tricked an AI chatbot into selling a car for just $1. These incidents show that AI systems can be manipulated in dangerous ways, leading to unauthorized data access and potentially huge financial hits.
Related story: E-Commerce Growth Intensifies Cyber Threats: Are Retailers Compliance-Ready?
Supply Chain Attacks: A Growing Risk Year-Round
Cyber threats spike during high-demand periods, but they still pose significant risks throughout the year. In November 2023, the ransomware group Black Basta targeted UCH Logistics, stealing nearly 900 GB of sensitive data, including employee records and personal documents. Known for its double extortion tactics, Black Basta threatened to release stolen data unless its ransom demands were met. Just ahead of Black Friday sales, UCH and the retailers relying on it were met with chaos. The breach disrupted operations and led to significant financial and logistical challenges for retailers relying on UCH’s services to meet increased shipping demand.
The UCH Logistics breach highlights how one vulnerable link in the supply chain can expose the entire network to risk, leaving every connected retailer susceptible to cascading disruptions and financial fallout.
Identity-Based Attacks: The Rising Threat to Consumer Accounts
Another growing concern is identity-based attacks. Credential stuffing, phishing and social engineering are all on the rise, with attackers zeroing in on consumer accounts. Even top retailers aren’t immune — Ticketmaster recently experienced a breach where stolen login details compromised thousands of accounts, despite multifactor authentication being in place.
Attackers often reuse stolen credentials across multiple platforms, exploiting the fact that many people use the same passwords. Meanwhile, phishing scams have become more convincing, with attackers posing as trusted retailers to trick users into sharing sensitive information. These attacks go beyond stealing personal data — payment details, loyalty rewards and gift card balances are frequently compromised, causing financial losses for both consumers and retailers. As these methods become more sophisticated, the stakes are higher than ever, making it essential for online marketplaces to remain vigilant in protecting their platforms.
Third-Party Risks: Heightened Scrutiny, Higher Stakes
Third-party risks are becoming more of a liability as well. Retailers are under increasing pressure to manage their vendor relationships carefully, especially with new regulations like the SEC’s cybersecurity disclosure rules. In 2024, a high-profile breach involving Advanced Auto Parts’ third-party vendor exposed the data of approximately 380 million customers, including sensitive information such as loyalty and gas card numbers, sales histories, and employment details.
The incident not only resulted in a sharp drop in Advanced Auto Parts' stock price, but also triggered a complex legal fallout. The stolen data was being offered for sale online for $1.5 million, presenting a serious threat to Advanced Auto Parts. The company faced significant financial implications, reputational damage and potential regulatory penalties, highlighting the urgent need for retailers to secure their vendor relationships. Retailers must recognize that failing to safeguard customer data can have devastating consequences, both for their reputation and their bottom line.
Compliance as a Competitive Edge
The pressure is mounting for retailers to not only meet regulatory compliance requirements but also embed security into every layer of their operations. This involves everything from encrypting data, conducting regular risk assessments, ensuring vendor compliance, and maintaining real-time incident monitoring. A secure and compliant e-commerce platform offers peace of mind not just to consumers, but also to retailers, knowing they're mitigating risks proactively year-round.
E-commerce platforms that offer comprehensive security measures — e.g., end-to-end data encryption, PCI compliance and secure vendor integrations — enable retailers to stay agile and focused on growth. These capabilities allow merchants to maintain trust with their customers, ensuring business continuity even in the face of cyber challenges. Compliance, in this sense, becomes more than just a regulatory checkbox; it fosters resilience and customer loyalty, helping retailers stand out in a crowded market.
As cyber threats become more sophisticated, compliance will be the foundation of trust and resilience in retail. Meeting regulatory standards is no longer just about avoiding fines — it’s about embedding security into every layer of operations so that companies can stay ahead of evolving regulations and offer customers the peace of mind they now demand.
Dan Holden is the chief information security officer at BigCommerce, a commerce solution provider.
Dan Holden, chief information security officer at BigCommerce, is a seasoned technology innovator and recognized cybersecurity expert with over 25 years of experience, leading his team to balance cybersecurity risks and benefits for the company.