Harrods Suffers New Data Breach Exposing 430,000 Customer Records

Key Takeaways

• Third-Party Breach: Hackers compromised a Harrods supplier, stealing 430,000 e-commerce customer records.
• Data Exposed: Names, contact details, and marketing-related tags were leaked; no passwords or payment data were involved.
• Co-Branded Card Labels: Some records included tags linked to Harrods’ loyalty program and co-branded credit cards, though these are unlikely to be useful to attackers.
• Extortion Attempt: Hackers contacted Harrods directly, but the company refused to engage.
• Regulatory Action: Harrods has notified authorities and urged customers to remain vigilant against phishing and social engineering.

Deep Dive

Hackers have compromised a third-party supplier of Harrods, exposing 430,000 customer records with sensitive e-commerce information, the luxury retailer confirmed after reports first surfaced in major UK media outlets.

The London-based luxury retailer confirmed the breach in a statement to BleepingComputer, emphasizing that the incident was unrelated to the attempted cyberattack it faced in May. That earlier intrusion, attributed to the group Scattered Spider, involved the DragonForce ransomware and targeted multiple UK retailers, including Marks & Spencer and Co-op. Harrods said its proactive response in May prevented attackers from accessing its systems at the time.

According to Harrods, the recent breach stemmed from a compromised third-party provider, whose name has not been disclosed. The company said it “proactively informed affected e-commerce customers on Friday” that their personal data had been exposed. Compromised information included names and contact details, along with internal tags and labels used for marketing and customer services.

Some of those labels referenced Harrods’ loyalty program, including tier levels and affiliations to co-branded credit cards. These cards, issued in partnership with financial institutions such as QNB and NBK alongside card networks like Visa and American Express, allow customers to earn reward points and access special benefits. Harrods stressed, however, that such labels “are unlikely to be interpreted accurately by an unauthorized third party.”

Crucially, the company said no passwords, payment information, or order histories were involved in the exposure.

Extortion Attempt and Customer Guidance

Harrods revealed that the threat actor had contacted the company directly, likely in an attempt to extort money. The retailer stated it would not engage with the attackers and has already notified relevant authorities, with whom it is cooperating.

In its public notice, Harrods urged customers to remain vigilant against phishing attempts and social engineering tactics, particularly unsolicited emails or SMS messages that may appear to come from the company.

The latest incident underscores the ongoing cybersecurity challenges facing high-profile retailers that operate extensive e-commerce platforms. While Harrods successfully fended off ransomware attacks earlier this year, the reliance on third-party suppliers introduces new vulnerabilities that cybercriminals continue to exploit.

Harrods said it remains committed to supporting customers affected by the breach while reinforcing its defenses in partnership with regulators and security authorities.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.