A recent Deloitte Survey highlighted urgent cybersecurity concerns as 70% of consumers worry about sharing personal information with retailers either because of data breaches and misuse (72%) or because they don’t know how their information will be used (70%).
The report found that 64% are hesitant to shop at retailers that experienced a breach – creating immediate business risk for compromised brands. And while AI adoption has exploded to 50% (up from 33% last year) in the last three months, with one in four Canadians expecting retailers to leverage AI, this is raising new security and privacy questions.
“Peak shopping seasons are stressful for both customers and retailers. Retailers are prepared for a surge in the volume of purchases and plan for increased capacity to handle the fluctuating demand. While the focus is on ensuring that websites and applications remain available during the busy season, it is essential not to take shortcuts to handle this surge,” said Trish Dyl, Director of Skills Development & International Programs, Rogers Cybersecure Catalyst, Toronto Metropolitan University.
“The proper testing and application of appropriate security measures should account for the additional infrastructure that may be temporarily deployed during this period. Increased transactions also bring about more opportunities for cybercriminals to exploit retailers and customers.”
Dyl has dedicated her career to public service, driven by a commitment to strategic problem-solving and creating meaningful change. After 20 years as a Public Affairs leader for the Government of Ontario, she joined Rogers Cybersecure Catalyst, where she currently serves as Director of Skills Development and International Programs. Her focus is on creating opportunities for cybersecurity training and development in Canada and abroad.
Dyl suggests that companies start with these fundamental protections:
- Keep your systems updated with the latest security fixes
- Use secure website connections (those “https” addresses with padlock icons) to protect customer logins and credit card information
- Require strong passwords and add an extra verification step when staff log into systems
- Check your security regularly to catch problems early
“If you process credit or debit cards, you must follow industry security standards. The latest requirements include passwords of at least 12 characters, better tracking of security weaknesses, and protection for your payment pages. Make sure all credit card data is protected both in-store and in your databases,” she explained.
“This is a crucial time for retailers, and any disruption to operations can significantly impact overall sales. Retailers should test their response plan ahead of time. Knowing who to call, what systems to isolate, and how to communicate with customers can turn a potential crisis into a short disruption. Protecting consumer data during the holidays is about being ready, aware, and disciplined when the stakes are highest.”
Dyl said AI can help retailers predict demand, personalize offers, and improve the shopping experience. However, when used without the proper safeguards, it can expose customer data and erode trust.
“The first risk is how data is collected and shared. Many AI systems learn from customer information such as purchase history or location. If that data is not anonymized or securely stored, it can be misused or leaked. Retailers should know exactly which tools have access to their data, where it is stored, and who has access to the data,” she said.
“The second risk is bias and over-automation. AI tools can unintentionally favour or exclude certain groups of customers if they are trained on limited or imbalanced data. AI tools can certainly make mistakes, which are often referred to as hallucinations.”
To manage these risks, she said retailers should treat AI as a tool that needs human oversight, not as a replacement for judgment. Practical safeguards include:
- Reviewing how customer information is protected before any AI system goes live.
- Testing the results regularly to check for bias or errors.
- Training teams to understand how AI decisions are made and how to challenge them when something looks wrong.
Identifying risks is the first step in making crucial judgments, added Dyl.
The holiday rush is prime time for online scams. Criminals know shoppers are busy, distracted, and eager for deals, she noted.
“A few simple habits can make a big difference in staying safe. Start by shopping only on trusted websites and by typing the retailer’s name directly into your browser instead of clicking links from ads, emails, or social media. Avoid reusing passwords across accounts, and turn on two-step verification wherever possible,” she said.
“Finally, check your bank or credit card statements frequently during the season. Spotting a suspicious charge early often limits the damage. In short, slow down before you click, and if a deal feels too good to be true, it probably is.”
Dyl said it is important to choose safe payment methods. How you pay makes a significant difference in your protection:
- Use credit cards instead of debit cards online; credit cards offer better fraud protection and dispute options
- Consider secure payment services like Apple Pay or PayPal for extra protection
- Never pay sellers demanding gift cards, wire transfers, payment apps, or cryptocurrency, only scammers insist on untraceable payments
- Don’t save payment information on retail sites
- Avoid bank transfers for online purchases – banks can’t trace them
- Shop only on devices with current software updates
- Never use public Wi-Fi for purchases or banking
- Turn on extra verification steps for all shopping and banking accounts
“Several warning signs should put you on alert. Suspiciously low prices or urgent “limited-time” sales often signal fraud. Fraudsters deliberately create pressure and rush your decisions, a tactic that’s especially effective during holiday shopping when expectations and financial stress already run high,” explained Dyl.
“Social media deserves extra caution. Fake ads on these platforms frequently lead to undelivered or counterfeit products. Similarly, avoid contests offering gift cards in exchange for surveys that capture your personal information. When you receive unexpected emails or texts about shipping, missed deliveries, or order confirmations, resist the urge to click any links. Instead, go directly to the verified website to check your order status. This simple pause can protect your privacy.
“The timing matters too. Black Friday and Cyber Monday scam emails more than double during the two-week peak shopping period.”
If you suspect you’ve been scammed, act immediately. Start by securing your accounts: change passwords for bank and credit card accounts, enable extra verification steps, and log out of all active sessions. Then clear your browsing history, update all operating systems and apps, and run security scans with protection software. Next, contact your financial institutions with detailed reports about what happened. Depending on the severity, file police reports as well. Continue monitoring your accounts closely for any unauthorized transactions, and consider freezing your credit reports if significant personal information was compromised, said Dyl.
A data breach directly affects how customers spend. When shoppers learn their information has been exposed, they will hesitate to buy from that retailer and consider switching to competitors that they believe are safer. Even loyal customers may reduce spending or avoid online purchases for months afterward.
“The financial impact extends beyond lost sales. Retailers face higher marketing costs to rebuild confidence, potential fines, and greater pressure from payment partners and insurers. This also includes containment efforts, legal fees, government fines, customer notifications, credit monitoring for affected individuals, and system repairs.
“Protecting customer data is ultimately about protecting future revenue and maintaining long-term relationships built on reliability and transparency.”