19 Jun 2025

Online shopping after a cyberattack: can these habit changes keep your data safe?

From not saving your card details to using guest checkouts, we explore the precautions some shoppers are now taking

Marks and Spencer's website is back and taking online orders, while Co-op is offering its members £10 off a shop worth a minimum of £40 – but you may not be rushing to the checkout.

A string of recent ransomware attacks – affecting not just Co-op and M&S, but also Adidas and Harrods – is likely to have made people cautious about where they shop and how they share their data online and in-store.

In a recent survey* of Which? Connect panel members, almost four in 10 said they've been contacted by a retailer or service provider about compromised data, and many told us about the changes they're making in light of the security breaches.

From guest checkouts to avoiding new retailers altogether, we look at what precautions some shoppers are taking and whether they're worth adopting.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

'I'm less likely to opt to save card details'

Often, when ordering from an online retailer, there will be a tick box (or a pop-up) asking you whether you want to save your card details for future purchases.

Following the recent spate of cyberattacks, three-quarters of those surveyed who said they were making a change told us they're less likely to opt to save their card information when shopping online.

We agree that it's best not to save card details if you can help it (particularly if you're not going to shop with the retailer regularly).

Although it can be a faff to resubmit your details each time, it's better than having your financial information unnecessarily stored in a database that could be compromised.

Some retailers, such as Amazon, will automatically save your card information when you pay. If you want to remove this information, you'll need to go into your account settings and manually delete the card from your list of payment options.

Find out more: what to do if you're worried about the Co-op and Marks and Spencer hacks

'I'm less likely to create an online account with a retailer'

Creating an account with an online retailer often means handing over contact information, such as your address, email address and phone number.

This data was compromised in both the Co-op and M&S attacks, leaving affected customers vulnerable to fraudulent texts, calls and emails.

Four in 10 of those surveyed who said they were making a change said they're now less likely to create an online account with a retailer because of the recent security breaches.

One participant told us: 'I've never opted to save card details as I know it makes me vulnerable. But I'm now less likely to share any information, such as my phone number or email address.'

Opting for a 'guest checkout' (which is offered by many big retailers) is always our preference when shopping online. You can still easily track your order and make returns, but you won't be needlessly handing over your personal data.

Find out more: my personal data has been lost after a breach, what are my rights?

'I'm less likely to shop with retailers I haven't used before'

The cyberattacks have made some people reassess who they're happy to shop with: a third of those surveyed who were making a change said they're less likely to buy from new retailers in light of the data breaches.

But we don't think avoiding retailers you've not used before is necessary, provided that you do your research beforehand.

If you come across a retailer you're not familiar with – for example, if you clicked on a social media or Google ad – you can run some simple checks to ensure the store is legitimate.

It's worth checking the company's Trustpilot page and Google reviews, as well as looking at its social media channels for anything suspicious, such as a low number of followers or newly created accounts.

You can also check whether the website lists any contact information. Reputable and legitimate companies will always provide ways to get in touch with them.

Just because you haven't come across a retailer before, it doesn't necessarily mean it's dodgy or more likely to suffer a security breach. After all, as we've seen with Co-op and M&S, it's often the biggest retailers that are targeted by hackers.

Find out more: how to spot an online shopping scam

'I’m less likely to shop at a retailer that has had a cyberattack'

Although M&S orders are back up and running, it might take some time for all its customers to feel comfortable buying from its website again.

In our survey, 19% of those surveyed who were making a change said they're less likely to shop at retailers that have suffered cyberattacks, while 15% went even further, stating that they're less likely to shop online at all.

Others had the opposite attitude. 'I'd be more likely to show solidarity and shop at stores that are under attack from hackers,' one participant said.

If you're feeling hesitant to place an order with one of the recently targeted retailers (or with any online retailer at all), there are easy ways to ensure your data is protected when shopping online. Follow our tips below to shop safely.

Find out more: how to spot a scam

How to stay safe when shopping online

Use guest checkouts, and don't save your card details It's always wise to limit the amount of data you share with companies unnecessarily. As a rule of thumb, when online shopping, opt for a guest checkout if given the option, and create an account only if you really need to.
Use strong passwords If you do create an account, set a strong password and never use the same password/email combination. Our guide on how to create secure passwords can help. It's worth going back through your existing accounts and changing your passwords if you think you've already used them elsewhere.
Look for a padlock A padlock symbol next to a website's URL means that the site is encrypted. So what you do on it, such as browsing or making payments, can't be intercepted. Most websites now have this feature, so if you notice a site that doesn't have one, it could be a red flag. That said, scammers can forge or buy these padlocks, so seeing one doesn't always mean a website is safe.
Watch out for scam retailers Before placing an order with a retailer (particularly with one you haven't heard of before), it's best to do some research to check that it's legitimate. Things to look out for include too-good-to-be-true prices and newly created websites or social media channels. Use a domain checker, such as who.is, to see when the website was created, and read our in-depth guide for spotting fraudulent sites.
Pay by credit card for extra protection Using a credit card for goods or services that cost between £100 and £30,000 means you get Section 75 protection if you do end up buying from a scam site, or if something goes wrong with your order. You can also make a chargeback claim if you pay by debit card, but this isn't enshrined in law like Section 75.
Never pay by bank transfer If you're asked to do this, it should raise suspicions. We recommend never paying for goods by bank transfer, as you won't have any protection if something goes wrong.

Find out more: Pay by Bank: can you trust this new way to pay?

* In May/June 2025, Which? asked 1,323 members of the Which? Connect panel what they're less likely to do following the recent cyberattacks, 693 said they would be making a change.