UK retail giant Harrods has disclosed a new cybersecurity incident after hackers compromised a third-party supplier and stole 430,000 records with sensitive e-commerce customer information.
In a statement for BleepingComputer, the luxury department store noted that the latest incident is not related to the May cyberattack, which was attributed to Scattered Spider.
Harrods is a London-based luxury goods department store. It operates a full-featured e-commerce platform catering to international customers.
The recent data breach was first reported by media outlets in the U.K. after Harrods notified customers impacted by the incident.
Harrods told BleepingComputer that it “proactively informed affected e-commerce customers on Friday” that their names and contact details were compromised following a breach at a third-party provider. The company did not disclose the name of compromised entity.
Apart from names and contact details, some customer records also included tags and labels used internally for marketing and other services that Harrods provides.
“Affected customer records may also have labels related to marketing and services delivered by Harrods,” the luxuy goods company says.
“These labels may include tier level or affiliation to a Harrods co-branded card, although this information is unlikely to be interpreted accurately by an unauthorised third party.”
Co-branded cards are credit cards part of the company’s loyalty program that have Harrods’ logo and those of a card network (American Express, Visa) and a financial institution (QNB, NBK).
They can be used to earn reward points and include various benefits, like dining credits and access to special events.
Despite the data exposure, Harrods underlined that the leaked data does not include account passwords, payment information, or order histories, and is limited to basic personal identifiers.
The company also noted that the threat actor has contacted them directly, likely in an attempt to extort them, but stated that it would not engage in communication.
The historic shop continues its efforts to inform and support exposed customers, and has notified all relevant authorities accordingly, working closely with them.
Customers of Harrod’s online shop should stay vigilant for phishing attacks and social engineering, and avoid clicking on links sent via email or SMS from unknown contacts.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
