Thales | Security for What Matters Most
More About This Author >
Thales | Security for What Matters Most
More About This Author >
Black Friday and Cyber Monday can make or break the year for retailers. Sales soar, carts fill, and data pours in. However, the same things that drive growth for retailers also draw in malefactors. For them, it’s open season. Each click, login, or checkout is an opportunity to slip, unnoticed, into systems full of sensitive data.
By the time you notice something is wrong, it may be far too late. So, ask yourself this: if my retail business went offline during Thanksgiving weekend, how long would it take me to recover? How much trust (and money) could I lose?
When Doubt Meets Danger
When Black Friday and Cyber Monday come around, retailers brace for a storm. Traffic surges and systems struggle to keep afloat. Thales saw retail traffic climb 12% between October and November 2023; a wave big enough to hide almost anything. In that flood, fraudsters slip through and upend your promises of data security in minutes. Even the sharpest monitoring systems can overlook a (seemingly) innocuous login.
On top of that, consumer confidence in retail security is already thin. When asked which sectors they trusted the most, only 5% of respondents to the Thales 2025 Digital Trust Index answered ‘retail’. In the same report, nearly one in five said they have been informed in the last 12 months that their data has been compromised.
Between the customer trust gap and the increasingly sophisticated methods used to gain access, the impact of an attack can be devastating. A slew of breaches, mainly ransomware, hit major UK retailers in 2025, costing millions and causing weeks of operational disruption. When those attacks hit, they didn’t just freeze systems; customers lost faith, and retailers lost business.
Cracks Widen Under Pressure
The average eCommerce platform loads 400 resources per site, and much of it, whether a payment gateway, marketing tag, or analytics feed, brings in third party content. Alongside this necessary infrastructure and functionality for customers come the inevitable weaknesses. Each outside integration is another potential entry point for malicious actors.
Thales found that bot attacks now account for 37% of all internet traffic, overtaking human activity for the first time. Legacy systems, patchwork architectures, and inconsistent MFA across customer and staff accounts widen the cracks. Add seasonal staff, stretched IT teams, and a sprinkle of subpar training, and even minor misconfigurations can become serious exposures.
During Black Friday 2023, account takeover (ATO) attacks surged 85%. Retailers already contend with an average of 101,950 bot-related incidents every day, so what do businesses need to understand to protect the bottom line and avoid adding additional risk?
Bots, APIs, and the Rise of Ransomware
The most important aspect of threat to retailers today isn’t bad humans. It’s bad humans using automation.
These aren’t yesterday’s basic bots. Mimicry is their specialty, using AI to imitate human behavior, bypass rate limits, and blend in with normal traffic. Many use residential proxies to seem legitimate, hiding malicious intent behind trusted IP addresses.
Modern shopping experiences are powered by APIs, which makes them a prime target. Thales 2025 data shows 44% of advanced bot traffic now hits APIs. Attackers exploit business logic (discount loops, gift card abuse, fake account creation) by sending valid-looking requests that slip through traditional defenses.
Some of the most damaging attacks combine this human-like subtlety with scale. Thales recorded an application-layer DDoS attack that hit 15 million requests per second against a financial API. In retail, such an assault could mean hours, or even days, of lost revenue. For context, Thales products helped prevent around 30 hours of downtime per retail site during the 2023 holiday season.
Ransomware also remains one of the retail sector’s biggest threats. Bad actors know the losses during downtime can make or break a retailer’s year, and they aren’t afraid to use that as leverage. One successful infection can lock customer data, disrupt logistics, and stop transactions midstream. When the demand for payment comes, it’s too tempting to pay up in exchange for regular operations – and the number of companies doing just that has more than doubled in recent years.
Application Security at the Frontline
Good data management with Thales’ CipherTrust Data Security Platform helps limit these risks. By encrypting and tokenizing sensitive details (particularly payment and loyalty information), data is protected and, crucially, unusable in the event of an attack. Real-time ransomware protection detects unauthorized encryption attempts before they can spread.
This kind of layered defense cannot be underestimated. Today’s websites are like living ecosystems, not static storefronts. JavaScript dependencies, API calls, and client-side integrations are all fraught with invisible risk. Retailers need more than backup plans; they need preventive plans, too.
Client-side threats like Magecart attacks insert malicious code directly into checkout pages and skim card data. When 76% of a retail site’s JavaScript comes from third parties, the attack surface widens dramatically. Continuous monitoring of client-side scripts helps detect unsanctioned changes before they affect customers.
Meanwhile, APIs must be protected with runtime intelligence and behavioral analytics. Adaptive throttling, schema enforcement, and object-level authorization help stop automated abuse without disrupting real users.
The Thales Application Security Platform can halt attacks before they reach APIs, spotting abnormal behavior, blocking bot-driven fraud, and keeping business logic intact while letting legitimate traffic flow uninterrupted.
The Identity Layer Still Matters
While the problem is certainly bigger than just identity, it’s true that it remains central to the customer experience. Balancing customer safety with customer satisfaction and avoiding dangers, like password over-reliance and reluctance to use MFA, is a delicate act. Complicating the experience for your customers is a gift to attackers. If it’s too hard to jump through the hoops, passwords start looking less like security measures and more like ‘shopping123’. These weak, stolen credentials feed ATO campaigns, which spike during sales events and put revenue at risk.
The Thales OneWelcome Identity Platform helps close the gap with phishing-resistant, passwordless authentication and context-based MFA. It verifies legitimate users without adding friction, adapting automatically to seasonal peaks or changes in user behavior.
At it’s heart, identity protection is about trust. When customers know their data and accounts are safe, they shop with confidence.
Preparing for the Surge
As AI-driven automation grows, attackers are evolving faster than many defenses. Thales telemetry shows retail sites now face an average of 569,884 AI-driven attacks daily. These systems generate fake identities, automate phishing, and adapt in real time to evade security tools.
To stand up to this, retailers need to understand the risk and adopt a holistic defense posture:
- Protect the data: Encrypt, tokenize, and control access to sensitive assets.
- Secure the application layer: Detect bots, guard APIs, and monitor client-side scripts.
- Strengthen identity: Deploy adaptive, passwordless authentication and granular access controls.
Black Friday and Cyber Monday are both opportunity and danger. Retailers that see cybersecurity as a seasonal necessity pay the price. Those who protect identity, protect data, and shield applications year-round have built the resilience that carries them through (and beyond) the rush.
Cybercriminals don’t take holidays. But with Thales, your customers can.