SailPoint: Are Seasonal Hires Cybersecurity’s Weak Link?

Black Friday sales are taking place at every turn and Christmas is on the horizon, but those are not the only pressures facing the festive trading window.

Following a year that has seen the likes of retailers and manufacturers hit with devastating cyber attacks, companies like M&S, JLR and Balenciaga must continue to recover, balancing this while handling one of the most operationally complex staffing periods in the calendar. 

The result is a perfect storm: seasonal hiring, surging online demand and a crowded threat landscape come together at the end of the year, turning identity into one of retail’s most critical – and fragile – security controls.

Cybersecurity and the Golden Quarter 

What is the Golden Quarter?

This period has long been the time when retailers make a disproportionate share of their annual revenue.

But now, their cyber risk profile is just as important. 

High-profile attacks on major global brands have already shown how quickly a ransomware incident or data breach can shut down warehouses, disrupt logistics and erode consumer trust at scale – meaning protection during the Golden Quarter is of the utmost importance.

During this time, Black Friday and pre‑Christmas promotions drive unprecedented online traffic and transaction volumes, making digital channels and payment platforms the backbone of peak-season trading. 

Any outage or compromise during this window is instantly visible to customers, amplifying the reputational and financial fallout of a successful attack.

Rex Booth, CISO at SailPoint, says that businesses will be “betting on the Golden Quarter and Black Friday to rebuild customer confidence and boost sales following the slew of cyberattacks this year”.   

However, he warns that guards must remain up – as surges in traffic and sales coax out malicious actors.

He adds: “Organisations will be onboarding huge volumes of seasonal staff at speed, many of whom will be given instantaneous access to critical systems without proper training and with minimal vetting.  

“Businesses need visibility of who can access what and when – or else an influx of staff coming and going could become a gateway for attackers.  

“Identity security tools automatically deactivate dormant accounts of departing employees and ensure current staff only have access to what’s needed for their roles – no more, no less. This makes it harder for attackers to fly under the radar undetected.   

“In today’s threat landscape, it only takes one compromised identity and retailers could be facing weeks – or even months – of operational chaos and disruption.”

Seasonal staff and identify sprawl

As Rex emphasises, at this time of year retailers add thousands of temporary workers to their workforces – across stores, contact centres, fulfilment hubs and online operations – and often onboarding them in days, if not hours. 

To keep queues moving and orders shipping, many of these staff are granted rapid access to point-of-sale systems, order management platforms and internal support tools, sometimes with limited vetting and minimal security training.​

This is where identity sprawl becomes more than an administrative nuisance. 

Shared logins for tills, generic accounts for ‘Christmas temps’ and manual spreadsheets to track who has access to what create blind spots that attackers can exploit. 

On top of this, come a time when the rush is over, these accounts are not always revoked promptly, leaving dormant credentials and over-privileged profiles as low‑hanging fruit for threat actors well into the new year.

Compromised identities hit harder now than ever before

Because modern retail operations are deeply integrated – with inventory, payments, logistics, customer data and loyalty systems all stitched together via APIs and cloud platforms – a single compromised identity with broad or poorly governed access can act as a pivot point, enabling attackers to move laterally across business-critical systems far more quickly than ever.

And the impact surpasses just data loss, too. 

Locking staff out of core systems during remediation can halt order processing, delay deliveries and force stores onto manual workarounds at the worst possible moment. At the same time, disclosure obligations and negative headlines around a breach can undo months of work spent rebuilding consumer confidence after earlier incidents – like what has been seen with Harrods, JLR, M&S, Co-op and Balenciaga.

Stopping cyber criminals before it becomes a crisis

Even with strong lifecycle controls, retailers have to assume that some identities will be compromised – through phishing, credential stuffing or targeted social engineering during busy trading windows. 

Monitoring identity usage for anomalous patterns, such as logins from unexpected locations, unusual times or systems outside a worker’s normal remit, becomes a crucial second line of defence.​

SailPoint and similar platforms focus on behavioural analytics and policy-based alerts to flag risky activity without overwhelming security teams.

In a Black Friday context – where noise levels are already high – this kind of intelligence can mean the difference between catching an intrusion early and discovering it only after days of suspicious refunds, fraudulent orders or exfiltrated customer data.