Four in five of the UK’s top 50 retailers are exposed to at least one form of critical cyber vulnerability, according to new research from cyber risk specialist KYND.

The analysis, which focused on the top 50 UK retailers by revenue, also found more than a third (38%) of the retailers analysed face critical risks simultaneously across all five major threat categories: ransomware risk exposure; email security weaknesses; outdated software; vulnerable services; and certificate issues.

Of the organisations analysed, the majority had at least one critical red risk – a vulnerability which could lead to business interruption – identified in each category. 80% had email security vulnerabilities, 72% had certificate issues while 70% had vulnerable services and outdated software. More than half (58%) were exposed to the risk of ransomware.

It comes after a series of high-profile cyber incidents impacting major retailers including M&S, the Co-op and Harrods. M&S has estimated that the hack, which began in April 2025, will cost the business at least £300m in lost profits.

Andy Thomas, CEO of KYND, said: “Retailers hold enormous volumes of sensitive data and operate complex supply chains, so even a seemingly minor oversight – like an expired certificate or unpatched software – can quickly become an open door to attackers.

“These results are a wake-up call for the sector to focus on the fundamentals: visibility, prioritisation and proactive monitoring.”

---