Cyberattacks: Why Retailers Must Rethink Identity Security

27 May 2025

Recent cyberattacks on UK retailers like Marks & Spencer and Co-op have once again exposed a hard truth: your digital identity strategy is pivotal to proactive mitigation alongside cybersecurity technologies.

The perception of hackers breaching systems by forcing their way through firewalls has long been a myth, they don’t need to break in – they simply log in. Logging in by using compromised credentials has been and remains the number one attack vector.

 

Identities Are the Attack Surface

Modern cybercriminals are targeting people, not just systems. They exploit weak or compromised credentials to initiate high-value actions like:

  • Money transfers
  • Password resets
  • Access to privileged applications
  • Elevation of account permissions

In fact, most cyberattacks begin with some form of credential compromise. Phishing, brute force attacks, and malware continue to be rampant, but increasingly sophisticated social engineering – often powered by AI-generated deepfakes or detailed social media profiling – are adding new complexity.

For retailers, the risk is especially high. Not only do you handle vast volumes of customer data and payment information, but your operations span both digital and physical environments, with many frontline workers, temporary staff, and third-party vendors accessing your systems. This creates a wide – and often vulnerable – attack surface.

 

The Shift to Zero Trust

In response to these challenges, many organisations are embracing a Zero Trust approach to security. This model assumes that no user or system – inside or outside your network – should be inherently trusted. Instead, every access request must be explicitly verified and continuously assessed for risk.

But there’s a balance to be struck. Overly strict controls can frustrate users and lead to risky workarounds. Too lenient, and you’re leaving the door wide open. That’s where modern digital identity solutions come into play.

Microsoft Entra Verified ID: A Game-Changer for Identity Assurance

As part of Microsoft’s Entra Suite, Verified ID offers a powerful layer of protection for high-value digital assets and transactions. It allows organisations to verify identity claims using secure, cryptographically verifiable credentials – and enhance this assurance through biometrics, such as facial recognition.

Here’s how it works:

  • Users hold a Verified ID credential containing trustworthy, detailed information about them.
  • When a sensitive action is requested – say, a password reset or access to financial systems – that credential can be shared securely and verified in real-time.
  • With Microsoft FaceCheck, you can even match a user’s real-time selfie to their credential photo, adding an extra layer of high-assurance verification.

This is more than just a second factor of authentication – it’s a smarter, more secure approach to identity proofing. See this in action with our Entra Verified ID Demo.

 

Real-World Use Cases

Microsoft Entra Verified ID can be deployed across a wide range of critical scenarios:

  • Help desk interactions
  • Privilege elevation
  • Group or role-based access requests
  • Financial approvals
  • Secure logins for high-risk accounts

In each case, it reduces the risk of impersonation and fraud – without creating unnecessary friction for legitimate users.

 

More Than Just Verified ID: The Power of the Entra Suite

What makes Verified ID even more powerful is its integration with the broader Microsoft Entra Suite. Together, these tools allow you to:

  • Enforce conditional access policies based on real-time risk assessments
  • Simplify identity governance and access lifecycle management
  • Support a decentralised, passwordless, and privacy-respecting identity model

This isn’t just about protecting against today’s threats. It’s about building a future-ready identity strategy that adapts to the evolving threat landscape.

Retailers – and indeed all businesses – must accept that identity is the new perimeter. It’s where attacks begin, and where defences must be strongest.

In light of recent breaches, the message is clear: It’s not a question of if your organisation will be targeted, but when. By adopting a robust digital identity strategy powered by tools like Microsoft Entra Verified ID, you can safeguard your highest-value assets, protect your customers, and ensure that only the right people get access – every time.

The technology is here. The threats of cyberattacks are real. The time to act is now.

 

Get more content like this straight to your inbox!

Subscribe to stay up to date.

Related articles

Condatis
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.