On paper, British high streets have seen worse. Footfall has survived recessions, pandemics and price shocks before, and tills were just about still ringing.
But this year it flickered, stalled and, in some cases, went dark – brought to its knees by a wave of cyber attacks that exposed the fragility of retail in the digital era.
From M&S’s Easter disruption, to Co-op’s data breach, and Jaguar Land Rover’s production lines grinding to a halt for five weeks, the past year has delivered a brutal lesson.
Cyber risk, it seems, is no longer just an IT problem. It has become a systemic economic threat, capable of wiping hundreds of millions off balance sheets, rattling markets and undermining trust in household names.
A year the high street went offline
The numbers alone this year have told a sobering story. London-listed firms have absorbed over £3bn in direct cyber-related damage over the last 12 months.
M&S is still nursing a £300m hole. Co-op has admitted the stolen data linked to millions of members, alongside a nine-figure earnings blow.
JLR’s attack, now widely dubbed as the most economically damaging cyber incident in UK history, wiped an estimated £1.9bn from the economy and dragged down national car production by nearly 30 per cent in September.
And these weren’t just smash and grab hacks, either. They were slow-burn operations, often exploiting third-party suppliers, legacy systems or basic security failings.
In many cases, attackers were inside networks for weeks before pulling the trigger. Charl van der Walt, head of security research at Orange Cyberdefense, told City AM that trust has become industrialised.
The barrier to entry has collapsed, and the number of active criminal groups has nearly tripled since the pandemic. “This is not big game hunting”, he said. “It’s a harvest”.
Indeed, small and mid sized companies are bearing the brunt, with SMEs accounting for two thirds of victims, not prized as trophies necessarily, but weak links.
When attacks stop being technical
What makes 2025 different is not just the scale of disruption, but the nature of the threat.
Data theft and ransomware, which long reigned in the cyber space, are no longer the so-called bad actor’s endgame, but trust is.
Van der Walt describes a shift towards cognitive warfare, attacks designed to destabilise confidence in institutions, brands and even democracy itself.
The real damage, he claims, often comes after the breach, when stolen data is weaponised to manipulate narratives and fracture public trust.
Retail, which sits in the intersection of consumer data, payments and daily life, has therefore become an especially potent target.
And AI has poured fuel on the fire. Attackers are using the technology to accelerate the development of malware, automate reconnaissance and generate deepfakes.
Subsequently, the time between a vulnerability being disclosed and exploited has shrunk dramatically.
Yet, many of the most damaging breaches still begin with depressingly simple tricks.
Whether through a phone call to a help desk, a compromised login code, or a supplier with poor controls, once inside, attackers are able to move quietly, and wait until the right moment.
Public sector plays catch up
The UK government insists it has not just sat by. November saw the long-trailed Cyber Security and Resilience Bill finally reach parliament, which promised tighter reporting rules, wider regulation and tougher oversight of critical suppliers.
Ministers described it as a step change. Industry, less so. Emma Philpott, chief executive of IASME, warns that none of the major retail breaches this year would have been prevented by the legislation.
“All the breaches that we have seen recently wouldn’t have been impacted by this legislation. We need more stuff”, she said.
Others argue it remains fundamentally reactive, expanding the existing NIS regime rather than replacing it with something fit for a hyper-connected economy.
Chris Franccis, director of government relations at SAP, admitted: “The Bill rather misses the areas where we see government intervention most critical”.
The bill also leaves most of the UK’s 5.5 million SMEs, which make up 99 per cent of businesses, largely outside its scope, despite being the most frequent victims.
Security minister Dan Jarvis has been bullish in his tone, urging British PLC this year that cyber incidents have shifted “from the margins to the mainstream”.
Jarvis warned that the threat is as likely to hit customers as it is GDP. He has also urged FTSE bosses to treat resilience as a board-level responsibility, not something outsourced to IT teams.
But market pressure, rather than regulation, may be doing more to shift behaviour.
As Philpott added: “As soon as their customer says, ‘We’re not going to be your customer anymore unless you put multi-factor authentication on your account’, they do”.
The 2026 high street
For retailers already grappling with weak demand and thin margins, the timing could hardly be worse.
UK retail sales growth slowed to its weakest pace in six months in November, as pre-Budget jitters dulled Black Friday spending.
Non-food sales barely grew, with online gains masking declines on the high street.
So a cyber outage on top of that could become hugely destructive.
Revenue loss begins immediately. Supply chains seize up. Brand damage lingers long after systems are restored. Share prices wobble, insurance costs soar and dividends disappear.
The lesson gained from this year is one of awareness, and the cybersecurity sector is no longer troubled with menial ‘worst case scenario’ hypotheticals.
Rather, the focus has shifted to resilience: visibility, speed of response and the ability to contain damage before it cascades through a company, and through the economy.
Or, as van der Walt puts it, maybeit is time to drop the euphemisms altogether. “We should stop talking about cybersecurity,” he says. “We should just talk about security.”
Because this year’s cyber spree has made it clear that when the lights go out, the economic consequences are very real, not to mention very costly.