The number of data breaches at UK retailers has doubled year on year as pressure mounts for the sector to plough investment into cyber security.

The number of retail businesses that reported data breaches to the Information Commissioner’s Office jumped to 38 in 2016/17, up from 19 in 2015/16.

The number of data breaches over the past year has grown at an exponential rate according to ICO figures, which find that there were only 17 retail data breaches in 2014/15.

Law firm RPC, which conducted research on the rise of online retail data breaches, found that as retailers bolster their big data resources, hackers have homed in on the sector as one that has a wealth of customer information but often insufficiently robust security systems to protect it.

RPC partner Jeremy Drew said: “Retailers are a goldmine of personal data but their high-profile nature and sometimes aging complex systems make them a popular target for hackers.

“There are so many competing pressures on a retailer’s costs at the moment – NMW rises, rates increases, exchange rate falls, as well as trying to keep ahead of technology improvements – that a proper overhaul of cyber defences can get pushed onto the back burner.”

High-profile cases

Retailers including Sports Direct, Debenhams, Morrisons and Carphone Warehouse have all had high-profile data breaches over the past two years – however, as retailers are not currently obliged to disclose them, the actual number of data breaches that occur in the industry may be much higher.

The RPC noted that the General Data Protection Regulation (GDPR) coming into force next May would increase the financial risk of data breaches for retailers as it will make reporting them mandatory.

“As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we do expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained,” said Drew.

“No UK retailer wants to be in the position of some public examples who were forced to confirm that it took them nearly a year to close a data security breach.”