French DIY retail giant Leroy Merlin discloses a data breach

French home improvement and gardening retailer Leroy Merlin is notifying customers that their personal info has been compromised in a data breach.

Leroy Merlin operates in multiple European countries as well as in South Africa and Brazil, employs 165,000 people, and has an annual revenue of $9.9 billion.

The incident affects only customers in France, according to the notification published on social media by SaxX_, and exposed the following data types:

• Full name
• Phone number
• Email address
• Postal address
• Date of birth
• Loyalty program-related information

“A cyberattack recently targeted our information system, and some of your personal data may have leaked outside the company” (machine translated), reads the notification the company sent to affected customers.

“As soon as the incident was detected, we took all necessary measures to block unauthorized access and contain the incident.”

The company clarified that the exposed information does not include banking data or online account passwords.

Also, the notice mentions that the stolen information has not been used in a malicious way, suggesting that it has not been leaked online or leveraged for extortion, but cautioned customers to remain vigilant of unsolicited communications.

Customers receiving the notification are also provided with information on how to identify phishing messages attempting to impersonate the brand.

If any anomaly is detected in customer account activity or trouble with redeeming loyalty discounts, customers are asked to report the activity directly to the company.

BleepingComputer could confirm that the notification is genuine and has reached out to Leroy Merlin to request more details about the breach and how many customers are affected. We have not received a reply by publication time.

At the time of writing, we did not see any ransomware group claiming the attack.