Retail Reduced: October 2023

Retail businesses need to prioritise profit and productivity to remain competitive in today’s global market. An artificial intelligence (AI) revolution is underway – offering new tools that transform how retailers conduct business. AI services in the retail sector are predicted to increase from $5 billion to above $31 billion by 2028.

We are seeing a sharp increase in retailers adopting new AI capabilities. One such brand is Amazon, who announced at their annual seller conference ‘Accelerate 2023’, that they will be using the latest AI advancements to improve the listing creation and management experience for sellers, simplifying how Amazon sellers create captivating product descriptions, titles and listing details. It will become faster and easier for sellers to list new products as well as enrich existing listings, helping customers more confidently make purchase decisions – which has previously required significant work for sellers.

Amazon’s Vice President of the Worldwide Selling Partner Experience, Mary Beth Westmoreland announced in September that ‘this is just the beginning of how [Amazon] plan to use AI.’ This stands true, as this October, Amazon have launched a new AI based technology that can spot even the smallest anomalies in delivery vans, and will be integrating a new robotics system into its warehouses to improve delivery times, safety and general operations.

Looking ahead, we can therefore expect retailers to continue to embrace generative AI tools to meet the consumer needs of today — and reap higher returns at the same time – with recent news that the H&M Group are integrating AI for the first time with a custom clothing creation tool.

The government recently launched a Retail Crime Action Plan (“RCAP”) in light of calls from the industry to tackle the rise in thefts and abuse across the UK’s retail stores. Amid mass lootings and suggestions of organised shoplifting gangs, as well as calls for a royal commission to be set up, the government’s announcement will be welcomed by the UK’s retail community.

At a recent meeting, the policing minister, Chris Philp, brought together senior police bosses and 13 of the largest retailers to launch the RCAP. In the plan, the police are committing to, inter alia, “prioritise urgently attending the scene of shoplifting instances involving violence against a shop worker, where security guards have detained an offender or where attendance is needed to secure evidence” and “reaffirming their pledge to follow up on any evidence that could reasonably lead to catching a perpetrator.” Of course, it is hoped but has yet to be seen whether these promises will be brought into effect.

In addition to police commitments, the RCAP has set out advice for retailers on how best to provide evidence, so that cases can be pursued by the police. This will include prompt submission of CCTV footage and images of the shoplifter(s) to ensure the police can act swiftly to crack down on offenders.

A new specialist police team – called Pegasus – will be set up to investigate and build up an intelligence picture of organised crime gangs behind some of the retail crime we have been seeing, so that these gangs can be brought to justice and dismantled. This will involve more information sharing between retailers and Pegasus, so that shoplifting tactics and other criminal characteristics can be shared and evaluated.

The initiative has been backed by the Home Office, John Lewis, the Co-op, Marks & Spencer, Boots, Primark and further retailers, who have agreed to fund the setting up of the initiative in the sum of over £600,000.

Retailers will now be eagerly awaiting results and hoping that the initiative will be money well-spent. In any case, it is undoubtedly a step in the right direction to wipe out the scourge of the retail crime spreading its way across the UK’s high streets.

The threat

As the holiday season approaches, alarming trends are revealed from the influx of cybersecurity attacks on retailers. In their report, Check Point Research (CPR), a notable resurgence in cyber-attacks across the globe is evident, pointing to an 8% rise in weekly cyber-attacks this past quarter – marking the most significant surge in the last two years.

Why do cyber criminals target retailers?

Rapid technological advancements in the past few years have made it easy for retailers to collect and store vast amounts of consumer data to drive profitability and target consumers more specifically. Retailers are often at the forefront of employing new technologies to enhance customer engagement and drive sales. New data driven technologies might include:

• Analytics and AI – Retailers can gather data from their own operations such as customer footfall, peak times, flow around the shop and spending patterns. These can be gathered from cameras, motion sensors and other devices and can be matched up with inventory tracking data through QR codes and in-store NFC tagging. AI systems can pick out useful patterns and retailers can even sell on the date if desired.
• Pricing and AI – AI powered algorithms can create dynamic pricing that may automatically adjust depending on volume, demand and market factors, or personalized pricing that tailors prices to the buyer’s profile based on purchase or browsing history from a website, for example.
• Web 3.0 and the metaverse – the use of NFT’s (non-fungible tokens) combined with physical tags, called ‘phygitals’ are now increasingly used. Products that were purely digital in the metaverse are now being sold physically in this way, such as Claire’s release of the ‘Shimmerville’ plushie toys this month, previously only available to purchase in the Roblox metaverse platform.

These methods above are just a few way retailers can build such a rich inventory of consumer data. This makes them a target for ransomware attacks. Ransomware is a type of malware that prevents access to data stored privately on a device, usually by encrypting files. A criminal group will then demand a ransom in exchange for decryption. The group might also be able to access the files and threaten a leak.

According to the CPR report, data derived from over 120 ransomware “shame-sites” revealed that in the first half of 2023, a total of 48 ransomware groups reported breaching and publicly extorting more than 2,200 companies. According to the British Retail Consortium (BRC) 33% of retailers have experienced a breach in the previous twelve months. But that is not all: only 48% of retailers have a formal ransomware plan, while 27% indicated a willingness to pay the ransom.

What are the potential legal issues?

Where data is leaked due to a cyber-attack, this does not necessarily mean that the blame can be placed solely on the bad actors.

Last October, the ICO issued a fine of £4,400,000 to Interserve Group Ltd, a construction company, for failing to keep personal information of its staff secure. The ICO found that the company failed to put appropriate security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.

A key principle of the UK GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – called the ‘security principle’. Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures.

To avoid these problems, retailers must be increasingly vigilant and disciplined when securing their data. Robust security awareness training, multi-factor authentication passwords, frequent malware scans and use of high-end cyber security software are some examples of defences that can be used.