From warehouse to web app: how supply chain gaps let hackers walk in

Posted: 08/05/2025

Whether you are an SME or a large organisation, establishing supply chain resilience is critical, as a business is only as strong as its weakest link. 

Three major British retailers were subject to cyber-attacks in recent weeks. M&S experienced a significant cyber incident, likely a ransomware attack, which significantly disrupted online sales, in-store payments, and click-and-collect services over Easter. Shortly after this hacking attempt, two other British retailers, were targeted. London’s Harrods reported an attempted cyberattack saying hackers had made 'attempts to gain unauthorised access to some of our systems'. Similarly, The Co operative Group detected what it described as a hack attempt on its IT systems.  In a message to staff the mutual retailer said hackers had 'attempted to break into' its systems, prompting precautionary measures. As a result, Co-op temporarily shut down parts of its back-office IT as well as some call centre operations. The Co-op Group has since issued a statement stating that the hackers had 'accessed data relating to a significant number of our current and past members'.

Retail’s fragmented tech stack (POS, e commerce, third party fulfilment) widens the available attack surface. Always remember that cloud-based systems sit on vulnerable physical infrastructure made up of telecoms, power centres, data centres and connected devices. Retail suppliers themselves procure services from other digital service providers both for their own back office services and for components of their customer services. All these third party service providers, in turn rely on physical infrastructure. Complex digital supply chains like this present specific risks around business continuity and operational resilience from a cyber security perspective.

What can be done to prevent such failings, and how can we deal with these issues if and when they arise? What are the potential legal and regulatory challenges businesses may face? Who can they hold liable? Can they claim reputational damages? As we consider below in our article, there are due diligence questions and contractual clauses that retailers should insist on to help mitigate these risks.

What can we do to prevent such failings in the future?

Retailers should have a register of all their third-party solution suppliers (this is no small task) and a clear view of which are their critical providers.

From a legal perspective, organisations should upgrade their critical supply agreements by applying an operational resilience lens to them. Absent specific sectoral legislation, it falls to the customer to contractually express the minimum levels of operational resilience required of a supplier.

Run joint incident simulations with critical suppliers to ensure both teams know how to collaborate and identify gaps in resilience, and are able to respond quickly to outages. These steps may not prevent outages in a supply chain, but they will put an organisation in a much stronger position to deal with them when they occur.

Mitigating the risks

Retailers should also ensure that they mitigate other risks which could arise from a software failure.

Legal liability
When a systems outage occurs, determining liability can be complex. Businesses may seek to hold the supplier liable for any damages incurred. This typically involves examining the terms of the supply agreement or contract. Key factors include:

• service level agreements (SLAs): these define the provider’s obligations and the remedies available in case of a breach. Businesses should ensure their SLAs include clear terms regarding uptime guarantees, response times, and compensation for service failures;
• negligence: if the provider failed to exercise reasonable care in delivering its services, it might be held liable for negligence. This requires proof that the provider’s actions or inactions directly caused the damages;
• breach of contract: if the provider fails to meet the contractual obligations, businesses can pursue a breach of contract claim. This involves demonstrating that the provider did not fulfil the agreed terms.

Regulatory issues

Where outages are caused by cybersecurity incidents, these can trigger various regulatory challenges, depending on the jurisdiction and industry. Key regulatory issues include:

• data protection laws: regulations like the General Data Protection Regulation (GDPR) in the UK (which is implemented by the Data Protection Act 2018) and the EU, and the California Consumer Privacy Act (CCPA) in the US, impose strict requirements on data protection. A breach can lead to significant fines and legal actions;
• notification requirements: many jurisdictions require businesses to notify affected individuals and regulatory bodies in the event of a data breach – a report in the UK must be made to the Information Commissioner’s Office within 72 hours of any such breach. Failure to comply can result in penalties and damage to the business’s reputation;
• industry-specific regulations: certain industries, such as finance and healthcare, have additional regulatory requirements. For example, the Financial Conduct Authority in the UK regulates financial services firms and financial markets to ensure that they operate with integrity, protect consumers, and promote competition.

Reputational damages

Reputational damage can be one of the most significant consequences of systems failure, whatever the cause. To claim reputational damages, businesses need to:

• document the impact: collect evidence of the incident’s impact on their reputation, such as customer complaints, lost sales, and negative media coverage;
• quantify the loss: estimate the financial impact of the reputational damage, including lost revenue and increased marketing costs to rebuild the brand;
• legal action: pursue legal action against the responsible party, if applicable, to recover damages. This may involve proving that the incident directly caused the reputational harm.

Mitigation strategies

To mitigate the risks associated with far-reaching systems outages, businesses should adopt proactive measures:

• conduct regular risk assessments: identify potential vulnerabilities and assess the impact of disruptions. This helps prioritise resources and recovery efforts effectively;
• develop incident response plans: create and regularly update incident response plans to ensure a swift and effective response to cybersecurity incidents;
• invest in insurance: cyber insurance can provide financial protection against losses resulting from cybersecurity incidents, and professional indemnity insurance should assist in the case of home-grown failures; ensure third party suppliers also have appropriate insurance in place;
• implement robust security measures: regularly update and patch systems, conduct employee training, and use multi-factor authentication to enhance security;
• review third-party contracts: ensure that contracts with third-party providers include clear terms regarding liability, SLAs, and data protection obligations.

By understanding the legal and regulatory landscape and implementing robust mitigation strategies, businesses can better navigate the risks associated with network and systems incidents and protect their operations and reputation.

The recent tribulations of these British retailers show the fragility of connected networks, and the importance of supply chain controls including quality assurance, as well as diversification of suppliers. 

Return to news headlines