Around one in five Secure Sockets Layer (SSL) security certificates used on UK retail websites are invalid, expired or misconfigured, according to new research from Ethiack.

The AI cybersecurity firm analysed the digital infrastructure of 1,722 European retail brands, assessing more than 58,000 publicly accessible digital assets including ecommerce sites, payment systems and customer service platforms for its State of Digital Exposure report.

UK retailers recorded the highest proportion of invalid SSL certificates, which are designed to encrypt customer data and verify website authenticity. Without a valid SSL certificate, customer information can be intercepted, while cybercriminals can also impersonate retailer websites to commit fraud.

UK retailers leaving security clues in plain sight

The research also found that 20% of UK retail web servers are exposing sensitive security information via HTTP response banners, compared with a European average of 17%.

While not a vulnerability in itself, Ethiack CEO Jorge Monteiro warned this information gives attackers a critical advantage, describing it as “handing cybercriminals vital clues about your security posture”, adding that it is akin to “telling a burglar the make and model of your lock”.

Rising attacks increase pressure on retailers

The findings land amid heightened cyber risk for UK retailers. Microsoft recently ranked the UK second only to the US for the number of cyberattacks suffered in 2025, with Britain targeted more than any other European country.

Ethiack’s report follows a series of high-profile retail cyberattacks last year, including incidents at Marks and Spencer and Co-op.

Monteiro said the sector’s reliance on ecommerce, loyalty schemes and digital payments makes even minor misconfigurations risky, noting that “the average time between a security patch being released and active exploitation has now dropped below a day”.

He added that continuous, AI-driven testing is increasingly essential, as “cybercriminals move faster than traditional, periodic security audits can keep up”.

New for 20206, the Retail Technology Show will feature a dedicated Cyber & Loss Prevention Zone. This will include cutting-edge innovation to help retailers navigate rising cyber risk, prevent loss, reduce crime and keep colleagues and customers safe.

Speaking on Day 2 of RTS, the Co-operative Group’s Chief Digital & Information Officer, Rob Elsey, will deliver a candid keynote on cyber risk and resilience. Opening up about how the retailer responded to the cyberattack which impacted its business last year, he’ll outline critical strategies for cyber resilience in 2026 and beyond.