PRESS RELEASE: 80% of top UK retailers exposed to critical cyber vulnerabilities

Four in five of the UK’s top 50 retailers are exposed to at least one form of critical cyber vulnerability, according to new research from cyber risk specialists KYND.

The analysis, which focused on the top 50 UK retailers by revenue, also found more than a third (38%) of the retailers analysed face critical risks simultaneously across all five major threat categories: ransomware risk exposure, email security weaknesses, outdated software, vulnerable services and certificate issues.

KYND defines critical or ‘red’ risks as vulnerabilities which could lead to business interruption if not addressed. Of the 50 organisations analysed, the majority had at least one critical red risk identified in each category. KYND found:

• 80% had email security vulnerabilities

• 72% had certificate issues (digital certificates are crucial for maintaining secure online communication and protecting sensitive data, so misconfigurations, expired or revoked certificates can compromise security)

• 70% had vulnerable services

• 70% had outdated software

• 58% were exposed to ransomware risk.

It comes after a string of high-profile cyber incidents impacting retail giants including M&S, the Co-op and Harrods. M&S has estimated that the hack, which began in April, will cost the business at least £300m in lost profits.

Andy Thomas, CEO of KYND, said the findings highlight the growing risks posed by poor cyber hygiene as the sector relies more heavily on digital infrastructure.

He said: “Retailers hold enormous volumes of sensitive data and operate complex supply chains, so even a seemingly minor oversight — like an expired certificate or unpatched software — can quickly become an open door to attackers.

“These results are a wake-up call for the sector to focus on the fundamentals: visibility, prioritisation and proactive monitoring.”

Email security proved to be the biggest liability by volume, accounting for 9,239 critical issues identified across the 50 companies analysed – which could open the door for phishing or spoofing attacks. Other attack vectors presented hundreds or thousands of individual ‘red' risks, including 1,180 related to vulnerable services and 1,073 certificate issues.

With more than a third of retailers facing overlapping vulnerabilities which compound risk and multiply their exposure, KYND is calling on retail businesses to improve systemic weaknesses.

In response to the findings, KYND is urging retail businesses to:

• Gain full visibility over their digital infrastructure to understand the breadth of risk exposure. Most of the identified issues were visible externally, making them easy targets for threat actors.

• Prioritise remediation of actively exploited and high-impact vulnerabilities, such as those listed in CISA’s Known Exploited Vulnerabilities (KEV) catalogue.

• Address foundational weaknesses, including tightening email security protocols, software patching and certificate renewal.

• Move from intermittent, point-in-time cyber risk assessments to continuous attack surface monitoring, as new vulnerabilities are emerging all the time.

• Continuously evaluate cyber risk across third-party suppliers and partners and work with them to help remediate critical issues

Andy Thomas added: “Today, cyber risk is a board-level concern with serious financial, operational, and reputational implications. For retailers operating in an increasingly digital environment, managing cyber risk as a core business risk is essential to maintaining resilience and protecting long-term value.”

For more information, please visit: https://www.kynd.io/.

About KYND

KYND is a pioneering cyber risk management provider which supports businesses of all sizes and portfolios across the insurance and financial services industries worldwide. Headquartered in London, with offices in Portugal and the US, KYND transforms complex cyber risk data into clear, actionable insights, making it quicker and easier to assess, manage and mitigate risk with confidence.

Its innovative technology provides instant visibility into cyber risk exposure and offers continuous monitoring with advanced real-time threat alerts. KYND’s flexible, made-to-measure product suite delivers jargon-free insights with tools and bespoke advice to support businesses, insurance underwriters, brokers, advisors and investment managers.

Founded in 2018, KYND has been recognised in the InsurTech 100 list for four years running and scooped Cyber Product of the Year at the National Insurance Awards 2025.

For more information, please visit: https://www.kynd.io/

Follow KYND on LinkedIn: @KYNDCyber