Target Entity: B&M European Value Retail S.A. (LSE: BME); operating subsidiaries B&M Retail Ltd (UK), Heron Foods Ltd, B&M France SAS
Audit Phase: V-DIG
Audit Date: 2026-05-01
Jurisdiction of Incorporation: Luxembourg (S.A.); principal operations England & Wales
B&M Retail Ltd’s confirmed enterprise identity and access management (IAM) provider is Cisco Duo, which supplies multi-factor authentication (MFA) across the B&M UK store estate and corporate network. A named vendor case study published on the Duo Security resources portal documents B&M as a customer, describing Duo’s deployment in an “identity first” security model across the organisation 3. Cisco (Duo’s parent since its 2018 acquisition) maintains significant Israeli R&D operations through past acquisitions, but Duo Security is a US-origin product line (Ann Arbor, Michigan) with no identified Unit 8200 lineage or Israeli-origin technology component within the platform as deployed at B&M.
No public evidence has been identified of B&M holding licensing, subscription, or integration relationships with any of the following Israeli-origin cybersecurity vendors: Check Point Software, Wiz, SentinelOne, CyberArk, Palo Alto Networks (Israeli R&D), Claroty, or Armis. This absence is consistent across B&M’s annual report disclosures, trade press coverage, and vendor case study material reviewed for this audit.
B&M’s payment security architecture, as described in its 2020 and 2021 Annual Reports, is built around Worldpay (FIS) point-to-point encryption (P2PE) at the PIN entry device layer, supporting PCI DSS compliance obligations across the UK estate 15 16. Worldpay is a US/UK-origin financial infrastructure provider with no identified Israeli-origin technology component in the payment stack as deployed at B&M. No evidence of B&M using Israeli-origin payment processing, fraud detection, or financial compliance technology has been identified.
TPP Retail (a UK-based retail software house) is B&M’s primary systems integrator for store operations technology. In November 2023, trade press reported the rollout of TPP’s retail operations platform across B&M’s UK estate 1, subsequently confirmed by a TPP Retail vendor case study 2 and a B&M-specific case study page on TPP’s website 8. TPP’s engagement encompasses:
TPP Retail’s documented technology stack centres on Zebra hardware and its own software; no Israeli-origin technology has been identified as mandated or deployed by TPP in the B&M engagement.
Claranet (a UK-based managed services provider) supplies managed IT and PCI DSS compliance services to Heron Foods Ltd, a B&M subsidiary. A Claranet case study confirms this relationship and describes its scope in terms of network management and security compliance 4. Claranet is a UK/European MSP with no Israeli-origin technology identified in the Heron Foods engagement. The sub-contractor technology stack deployed by Claranet within the Heron Foods managed service could not be independently verified from available evidence and is identified as an evidence gap requiring live verification.
A Ricoh UK vendor case study documents B&M’s use of DocuWare (a document management platform) for digital document management, covering HR processes and back-office workflows 14. DocuWare is a German-origin software product, since acquired by Ricoh. No Israeli-origin component has been identified in this engagement.
In October 2025, Iron Mountain announced a 10-year contract logistics partnership with B&M, covering document and data management logistics across the UK operation 13. Iron Mountain is a US-origin firm (Boston, Massachusetts). The contract covers UK logistics operations and has no identified Israeli-origin technology component.
B&M’s annual reports do not name specific cloud infrastructure providers beyond generic references to digital transformation. No evidence has been identified of B&M holding a direct commercial relationship with any Israeli-origin cloud or SaaS platform. The absence of publicly named cloud providers in B&M’s disclosures limits the depth of analysis available without live verification of current job postings and procurement records.
B&M Retail Ltd is a confirmed, named subscriber to the Facewatch live facial recognition (LFR) watchlist system — the most significant surveillance technology finding in this audit. The evidential basis for this finding is multi-source and robust:
Facewatch’s corporate origin and technology: Facewatch Ltd is a UK-domiciled company incorporated in England and Wales. It is not an Israeli-origin firm. Its operational model involves capturing facial images at store entrances, converting them to biometric templates, and matching against a cloud-hosted shared watchlist of persons of interest contributed by subscribing retailers 20. The algorithmic providers used by Facewatch in the B&M deployment period are reported in trade press as including Amazon Rekognition (an AWS cloud computer vision service, US-origin) and, in earlier periods, RealNetworks SAFR (a US-origin, Seattle-based facial recognition platform). Neither is Israeli-origin.
Governance structure: B&M, as a Facewatch subscriber, is not the data controller for the biometric processing; Facewatch Ltd holds that role. B&M is the data processor/subscriber. This structure means B&M has delegated decisions about algorithmic providers and data infrastructure to Facewatch. The consumer press has raised concerns about whether this delegation is adequately disclosed to shoppers 29.
No Israeli-origin facial recognition technology identified: No public evidence has been identified that Facewatch uses algorithms from AnyVision/Oosto, BriefCam, Trigo, Corsight AI, or any other Israeli-origin facial recognition vendor in its B&M deployment. The AnyVision-to-Oosto rebrand occurred in 2022 31; no relationship between Oosto and Facewatch or B&M has been identified.
B&M uses Sensormatic electronic article surveillance (EAS) systems — traditional RF/RFID anti-theft tags — as part of its standard loss prevention infrastructure 32. Sensormatic is a Johnson Controls brand, US-origin (Princeton, New Jersey). It is not Israeli-origin.
B&M is a confirmed customer of VUE Group (Vision Unique Equipment) for video telematics across its logistics fleet. VUE vendor case studies document the B&M relationship, covering VMC4 connected telematics units for claims management and driver behaviour monitoring 5 6. A VUE Group press release records a partnership between VUE and Radius Payment Solutions 7; however, the characterisation of this as a full acquisition (VUE by Radius) reported in trade press 25 could not be independently confirmed from training data, and is flagged as unverified. The distinction is material: if VUE was acquired by Radius, B&M’s fleet telematics supply chain passes through the Radius corporate group.
A further claimed supply-chain link — that Radius Telematics integrates Mobileye (Israeli-origin, Jerusalem; acquired by Intel in 2017 26) EyeQ collision avoidance technology into its platform, and that this technology is present in B&M’s VUE fleet units — is assessed as plausible in structure but unverified at each link. Mobileye maintains fleet safety partnerships distributed through telematics platform integrators, and its fleet product range is publicly documented. However, whether Radius is among these integrators, and whether B&M’s specific VUE units incorporate Mobileye hardware or software, cannot be confirmed from available evidence. This chain (B&M → VUE → Radius → Mobileye) is identified as a priority evidence gap requiring live verification before it can be presented as a finding rather than a hypothesis.
B&M has no operational presence in Israel or the Middle East. Annual reports confirm operations in the United Kingdom, Republic of Ireland, and France only 15 16 17. No data centre, distribution centre, or registered office is located in Israel or any Israeli-administered territory.
No public evidence has been identified of B&M participating in, contracting under, or otherwise engaging with Project Nimbus — the approximately USD 1.2 billion Israeli government cloud infrastructure contract awarded jointly to Amazon Web Services and Google Cloud in 2021 27. B&M is not a party to this contract and is not a technology provider to the Israeli state.
A tertiary commercial inference was noted in preparatory research: B&M’s technology vendors (including Facewatch, which likely uses AWS infrastructure, and VUE, whose cloud backend provider is unconfirmed) may themselves use AWS, and AWS participates in Project Nimbus 28. This represents a relationship mediated by at least two independent commercial parties and is not characterised as a finding of B&M participation in or material contribution to Project Nimbus. The inference is recorded for completeness but does not constitute an evidenced finding.
No public evidence has been identified of B&M’s customer or operational data being stored in Israel or processed by Israeli-domiciled data infrastructure providers. B&M’s privacy policy 12 identifies Facewatch as the biometric data controller; Facewatch’s data infrastructure location is not publicly specified in available sources, and the current algorithmic provider (Amazon Rekognition or otherwise) may process biometric data in AWS regions outside the UK. The data residency implications of Facewatch’s infrastructure choices are delegated from B&M to Facewatch as data controller.
B&M does not provide cloud, data sovereignty, or infrastructure resilience services to any government or third party. It is a retail end-user of such services, not a provider. No evidence of participation in any sovereign cloud programme — UK or otherwise — has been identified.
No public evidence identified. B&M European Value Retail S.A. and its subsidiaries are engaged exclusively in discount variety retail operations. No defence, intelligence, or national security sector contracts have been identified in any jurisdiction. Annual reports, regulatory filings at Companies House 30, and S&P Global credit analysis 18 confirm no material revenue streams from non-retail activities.
No public evidence identified. B&M does not develop, manufacture, or supply technology products. It is a consumer retail end-user of technology. No dual-use goods, export-controlled technology, or military-grade equipment has been identified in B&M’s product offering or supply chain at the corporate level.
No public evidence identified. No relationships with offensive cyber capability developers, weapons systems integrators, or munitions manufacturers have been identified in any available source.
No public evidence identified. The July 2023 Facewatch/Home Office closed-door meeting reported by Biometric Update 10 involved Facewatch Ltd’s engagement with the UK Home Office on the governance of retail facial recognition — this is a domestic UK regulatory engagement involving B&M’s supplier, not B&M itself, and does not constitute an intelligence community relationship for B&M.
No public evidence identified. B&M does not develop, supply, license, or operate AI or machine learning systems for any state body, public authority, or third party. It is a retail operating company with no identified AI product development capability.
The Facewatch LFR system deployed at B&M stores involves algorithmic biometric matching. As documented above, B&M is the subscriber and Facewatch Ltd is the data controller and system operator. The algorithm itself (Amazon Rekognition or prior iterations using RealNetworks SAFR) is procured and operated by Facewatch, not by B&M. B&M’s role is limited to providing access to store premises and contributing to the shared watchlist of persons of interest. The Biometric Update reporting on the November 2025 wrongful identification incident illustrates the operational consequences of algorithmic error rates in this deployment context 9.
No other algorithmic or automated decision-making system with material civil liberties, dual-use, or Israel-nexus implications has been identified in B&M’s operational stack.
No public evidence identified. B&M has no identified involvement in AI training data generation, sale, or licensing. No relationship with AI model development organisations — commercial or state-affiliated — has been identified.
No public evidence identified. B&M has not deployed autonomous vehicle, drone delivery, autonomous fulfilment, or robotics systems at any verified operational scale. No lethality-relevant autonomous system involvement of any kind has been identified.
B&M has no R&D operations in Israel. Its technology and digital functions are based at the company’s UK headquarters in Speke, Liverpool. Annual reports make no reference to engineering offices, innovation labs, accelerator programmes, or technology partnerships with Israeli research institutions 17. B&M does not self-describe as a technology company and does not publish R&D expenditure figures; technology deployment is managed through vendor relationships rather than in-house development.
No public evidence identified of B&M acquiring or investing in any Israeli-origin technology company, Israeli technology venture fund, or Israel-focused technology accelerator. B&M’s documented corporate acquisitions are:
Neither acquisition has any identified Israeli technology dimension. B&M’s capital allocation strategy, as described in annual reports and S&P credit analysis 18, is focused on organic store-estate expansion and operational efficiency rather than technology M&A.
No public evidence identified of patent filings, licensing agreements, or co-development arrangements between B&M and any Israeli-domiciled entity, including Israeli universities (Technion, Hebrew University, Ben-Gurion University, Weizmann Institute) or Israeli state research bodies. B&M does not hold a material patent portfolio; as a retail operating company, its competitive advantages are operational and commercial rather than IP-based.
B&M’s confirmed technology partner ecosystem, drawn from vendor case studies and trade press, comprises:
No Israeli-origin vendor has been confirmed in a direct or first-tier supply relationship with B&M or any of its subsidiaries.
Big Brother Watch is the principal civil society organisation to have specifically named and documented B&M’s use of facial recognition technology. Its October 2022 report “Who’s Watching? Facial Recognition in UK Retail” named B&M Retail alongside Southern Co-op as among the most significant retail deployers of Facewatch live facial recognition in the UK 22. The accompanying campaign page reiterates this finding and calls for regulatory intervention 21. The report raises concerns about:
Big Brother Watch does not, in the sources available for this audit, characterise B&M’s technology use as connected to Israeli state infrastructure or Israeli occupation.
Biometric Update has provided the most detailed trade-press coverage of B&M’s Facewatch deployment, including:
Which? (UK consumer champion) has reported on facial recognition in retail shops and has addressed the Facewatch/B&M relationship in the context of consumer rights and transparency 29.
No NGO, academic report, or civil society publication identified for this audit characterises B&M’s retail technology as connected to Israeli state entities, Israeli occupation infrastructure, or Israeli defence or intelligence bodies.
No public evidence identified of any organised boycott, divestment, or sanctions (BDS) campaign targeting B&M specifically on grounds of its technology relationships with Israeli state entities or Israeli-origin technology vendors. BDS movement campaign records reviewed in training data do not surface B&M as a named technology-sector target. B&M does not stock Israeli-branded goods as a known product line in the manner that has made some retailers targets of BDS product boycotts, and no technology-focused BDS campaign naming B&M has been identified.
ICO reprimand to Facewatch and Southern Co-op (October 2022): The UK Information Commissioner’s Office issued formal reprimands to Facewatch Ltd and Southern Co-op in October 2022, following an investigation into their use of live facial recognition in retail stores 23. The ICO found concerns regarding whether the processing met the lawfulness, fairness, and transparency requirements of UK GDPR and the Data Protection Act 2018. B&M was not named as a respondent in this action. However, B&M is a Facewatch subscriber using the same system architecture and shared watchlist model that formed the subject of the reprimand. The ICO reprimand established that the Facewatch model in its then-current form presented compliance risks under UK data protection law.
No data protection enforcement action by the ICO specifically naming B&M Retail Ltd or any B&M subsidiary in connection with Facewatch or any other technology system has been identified in available training-data knowledge.
No regulatory inquiry, export control action, financial sanctions investigation, or legal challenge involving B&M’s technology relationships with Israeli state entities or Israeli-origin technology vendors has been identified.
S&P Global CreditWatch: In 2025, S&P Global Ratings placed B&M’s credit rating on CreditWatch Negative following a profit warning that included disclosure of an accounting error 18. This is a financial, not a technology or regulatory, finding. It is noted for contextual completeness regarding corporate governance posture.
Companies House filings: B&M’s UK operating entities are registered at Companies House and are current with their filing obligations 30. No technology-related legal proceedings are disclosed in available filings.
https://retailtechinnovationhub.com/home/2023/11/22/bandm-rolls-out-tpp-retail-technology-as-it-looks-to-drive-operational-efficiency-across-uk-stores ↩↩
https://www.tppretail.com/bm-deploys-new-retail-ops-solution-from-tpp-retail/ ↩↩
https://resources.duo.com/explore/assets/bm-retail-puts-identity-first ↩↩
https://www.claranet.com/uk/case-study/heron-foods-ensures-pci-dss-compliance-claranet/ ↩↩
https://vuegroup.org/benefits-of-video-telematics-in-food-logistics-bm-bargains/ ↩↩
https://vuegroup.org/wp-content/uploads/2020/12/BM-Case-Study-Benefits-of-working-with-VUE.pdf ↩↩
https://vuegroup.org/new-partnership/ ↩
https://www.biometricupdate.com/202511/human-error-blamed-for-false-accusation-at-retailer-using-facial-recognition ↩↩↩
https://www.biometricupdate.com/202307/facewatch-caught-in-more-controversy-after-closed-door-meeting-with-uk-home-office ↩↩↩
https://www.biometricupdate.com/202307/missing-the-mark-on-messaging-about-retail-facial-recognition-use-sparks-backlash ↩↩
https://www.bandmretail.com/site-services/privacy-policy ↩↩↩
https://www.ironmountain.com/about-us/media-center/articles/2025/october/iron-mountain-and-b-m-announce-major-10-year-contract-logistics-partnership ↩↩
https://www.annualreports.com/HostedData/AnnualReportArchive/b/LSE_BME_2020.pdf ↩↩↩
https://www.annualreports.com/HostedData/AnnualReportArchive/b/LSE_BME_2021.pdf ↩↩
https://www.bandmretail.com/investor-relations/results-reports-and-presentations/annual-reports ↩↩↩
https://www.spglobal.com/ratings/en/regulatory/article/-/view/type/HTML/id/3462618 ↩↩↩
https://issuu.com/jandmgroup/docs/s_ftg_206_july23_online ↩↩
https://www.facewatch.co.uk/how-it-works ↩
https://bigbrotherwatch.org.uk/campaigns/stop-facial-recognition/ ↩↩
https://bigbrotherwatch.org.uk/wp-content/uploads/2022/10/Whos-Watching-Report.pdf ↩↩
https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/ico-issues-reprimands-to-southern-co-op-and-facewatch/ ↩
https://www.scribd.com/document/866306675/Data-Privacy-Notice-004 ↩↩
https://www.fleetnews.co.uk/fleet-management/telematics/radius-payment-solutions-acquires-vue-group ↩
https://newsroom.intel.com/news-releases/intel-acquisition-mobileye/ ↩
https://www.theguardian.com/technology/2021/apr/08/project-nimbus-israel-tech-military-contract ↩
https://www.theguardian.com/technology/2024/apr/16/amazon-google-employees-protest-project-nimbus-israel ↩
https://www.which.co.uk/news/article/facial-recognition-in-shops-what-you-need-to-know-aRoAc6B3nrjr ↩↩
https://find-and-update.company-information.service.gov.uk/company/08528961 ↩↩
https://oosto.com/blog/anyvision-is-now-oosto/ ↩
https://www.zebra.com/gb/en/products/mobile-computers/handheld/tc21-tc26.html ↩↩
https://bigbrotherwatch.org.uk/wp-content/uploads/2022/10/Whos-Watching-Report.pdf ↩↩
