Privacy in Retail: From Breaches to Brand Strategy

In the last two years, the retail sector has undergone a seismic shift in how it approaches privacy. As a highway of data consumption, retailers have been the focus of high-profile data breaches and are subject to evolving legislation and consumer expectations. This article explores the current state of privacy in retail, drawing on recent incidents, regulatory developments, and emerging trends to help retailers navigate the road ahead.

1. Breaches Are the New Norm - But Not the New Excuse

Retailers across Canada have faced a wave of privacy incidents, from ransomware attacks to third-party vendor breaches. The information below tells us that these are no longer isolated events, but rather a systemic issue amongst retailers. Over the last two years, the retail sector has experienced a significant rise in cyberattacks, with several high-profile breaches affecting major brands across the globe. These incidents have highlighted the growing sophistication of threat actors and the urgent need for stronger cybersecurity and privacy measures.

In March 2024, Giant Tiger was exposed to a breach which affected 2.8 million of its customer records due to a compromised vendor, demonstrating the fragile supply chain. Also, in 2024, London Drugs and Indigo were hit by ransomware, with employee data leaked and operations disrupted for weeks.

In April 2025, UK retailer Marks & Spencer (“M&S”) suffered a severe ransomware attack that encrypted critical systems, interrupting online orders and causing an estimated $400 million in loss of profits. The attack occurred through “social engineering” where their outsourced customer support provider was “tricked” into changing an employee’s password. The bad actor was then able to gain access to M&S’s systems. Around the same time, the Co-op Group in the UK was targeted through similar advanced social engineering tactics, leading to the exposure of millions of customer names and contact details.

In May 2025, The North Face, Cartier and Adidas experienced a credential stuffing attack, where hackers used previously stolen login credentials to access customer accounts and purchase histories. Approximately 184 million password records were discovered by a cybersecurity investigator on the dark web. This data dump included emails and passwords retrieved from tech giants like Meta, Google, and Apple. This breach was attributed to infostealer malware, which silently collects data from infected devices rather than breaching corporate systems directly.

Luxury and fashion retailers locally and globally have been hit hard. Dior faced a phishing campaign in South Korea and China that compromised customer databases, leaking personal and purchase information. Similarly, Tiffany & Co.’s South Korean operations were targeted, resulting in the exposure of customer names, addresses, and purchase records. Victoria’s Secret encountered a cyber incident that disrupted its website for several days, delaying financial reporting and causing a 4% drop in share value. Adidas’s reported breach involved a third-party customer service provider, which exposed customer contact details in Germany and Canada, raising concerns about vendor security practices.

While data breaches may be unavoidable in today’s threat landscape, the damage they cause doesn’t have to be. The difference between a swift recovery and lasting reputational harm often hinges on how effectively a retailer responds. Recent trends show that attackers are increasingly targeting personal information and exploiting third-party vulnerabilities, making breaches not just a technical issue, but a strategic one. The operational disruptions and loss of consumer trust that follow are often magnified when organizations are unprepared. For retailers, this underscores the need for proactive measures: robust incident response plans, ongoing employee training, and rigorous third-party risk management. These aren’t just best practices, they’re essential defences for protecting your brand and ensuring business continuity.

2. Third-Party Risk Is Your Risk

Numerous incidents highlight a critical truth: you can outsource services, but not accountability. Under PIPEDA and provincial laws, particularly Law 25, organizations remain responsible for how third parties handle personal information. This includes ensuring:

• adequate vendor management (including privacy and security risk assessments)

• vendors are vetted for compliance and breach history

• vendor contracts include privacy and security obligations

• data minimization is enforced (only sharing what’s necessary)

• sufficient breach management and notification clauses are in place

As third-party breaches rise (up 68% in 2024 according to Verizon), vendor due diligence is no longer a best practice but rather a legal and reputational necessity.

3. Employee Data Deserves Equal Protection

Retailers often focus privacy efforts on customer data, likely due to the volume, however, retailers also generally have a high volume of employees and their data is just as vulnerable. Indigo’s 2023 breach exposed previous and current employee SINs, bank details, and human resource files, sparking legal action and union demands for transparency.

Privacy legislation in Quebec, Alberta, and BC explicitly includes employee data. What is more, even in Ontario, where no dedicated employee privacy law exists, common law and employment contracts provide a reasonable expectation of privacy and regulators have been clear on what they expect. Employers must:

·       limit access to employee data

·       provide clear internal privacy and employee policies

·       ensure monitoring (e.g. CCTV, BYOD) is proportionate and disclosed

·       apply the same consent and purpose limitations as with customer data

·       properly assess human resource information systems and ensure adequate privacy and security controls are in place

4. Privacy Is a Brand Differentiator

Consumers are paying attention, and they’re making decisions based on trust. The Home Depot incident is a case in point. Home Depot collected customer emails under the guise of sending e-receipts, only to share those emails with Meta for ad conversion tracking. The backlash was swift, with many customers feeling misled. Similarly, after the Indigo and LCBO breaches, customers expressed reluctance to use loyalty programmes or online services, fearing their data might not be safe. These examples show that when trust is broken, customers either withhold their data or take their business elsewhere. On the other hand, retailers that are transparent, proactive, and respectful of privacy are earning loyalty. By embedding privacy into their brand, through clear notices, opt-in choices, and visible security practices, retailers aren’t just meeting legal requirements. They’re building a competitive advantage in a market where trust is everything.

 
WHAT RETAILERS SHOULD DO NOW!

To stay ahead, Canadian retailers should:

• Conduct vendor risk assessments and review contracts for privacy clauses

• Update consent mechanisms to meet Law 25 and other consent requirements

• Implement employee privacy policies and training

• Align privacy and security teams to reduce duplication and improve response

• Communicate privacy efforts to customers as part of the brand strategy

• Ensure adequate incident response management is in place

The state of privacy in Canadian retail is one of transformation. The sector is moving from reactive compliance to proactive governance, from seeing privacy as a legal hurdle to recognizing it as a strategic asset.

Retailers that embrace this shift will not only avoid fines and fallout, but they will also earn the trust of a privacy-conscious public and position themselves as leaders in a data-driven economy.