The 2026 Data Threat Report Retail and E-commerce Edition examines key challenges faced by retail organizations, including the fast proliferation of AI-driven cyberattacks targeting personnel, cloud storage, applications, and identity infrastructure. AI adoption by retail organizations has also introduced significant insider risks stemming from rapid operational and ecosystem changes. As always, the Data Threat Report encourages and equips security leaders to build stronger alliances spanning their own organizations and partner ecosystems to achieve broader enterprise goals.
This research was based on a segment of 426 security and IT executives working for traditional brick-and-mortar retailers operating physical locations, pure-play e-commerce businesses, and omnichannel retailers, which integrate both physical and online operations, in 20 countries.
Conducted by

“Insider risk is no longer just about people. It is also about automated systems that have been trusted too quickly. When identity governance, access policies, or encryption are weak, AI can amplify those weaknesses across environments far faster than any human ever could.”
72% of retail and e-commerce organizations expressed concerns about rapid change in AI ecosystems, their top AI security risk.
85% have invested in specific security tools or services due to concerns about AI.
61% have experienced deepfake attacks and 50% suffered reputational damage as AI-fueled attacks emerge as a prominent threat.
Only 37% of retail and e-commerce organizations said they have complete knowledge of where their data is stored.
Only about half of sensitive data in the cloud is encrypted. 53%
54% are pursuing reworking and refactoring of application and data architectures as their main focus in achieving sovereignty objectives.
39% believe cryptographic protections such as encryption and key management are sufficient to achieve data sovereignty.
76% of retail and e-commerce organizations have five or more data protection tools.
49% have five or more key management systems.
61% say future encryption compromise is the top quantum computing concern for retail and e-commerce organizations.
61% are prototyping are prototyping and evaluating post-quantum cryptographic (PQC) algorithms.
37% cloud storage, 37% cloud applications and 32% cloud management infrastructure are the top targets for attackers.
Credential theft is the leading attack technique against cloud infrastructure – 71% are seeing credential theft and misappropriated secrets increasing.