Harrods rejects contact with hackers, after 430,000 customer records stolen from third-party provider
The luxury department store has denied any link to a failed attack on its systems in May
Harrods has confirmed contact with the hackers behind a recent cyber attack, in which a third-party provider was breached and the 430,000 customer records were stolen, adding that it has refused to engage with them.
The luxury department store warned customers of an "isolated incident" on 26 September, in an email that also saw it explain that while information such as some customer names and contact details had been stolen, no passwords or payment information had been affected.
At the time, it also asserted that the incident had been contained and that all relevant authorities had been notified.
This will include the Information Commissioner's Office (ICO), which under UK GDPR must be informed whenever UK organizations suffer a data breach that are likely to affect individuals' rights or freedoms.
Harrods has not named the third-party provider and declined to do so when asked by ITPro.
This is the second time this year that Harrods has been involved in a cyber incident. It was previously hit with a cyber attack in May, amid a spate of attacks on UK retailers, including Marks and Spencer Group (M&S) and the Co-operative Group Limited.
At the time Harrods reacted by restricting internet access at its sites, to keep attackers from breaching its systems.
In a statement to ITPro, Harrods said the new attack disclosed on Friday was not connected to the May attempted attack and had not resulted in hackers accessing its internal systems.
"We have received communications from the threat actor and will not be engaging with them," a spokesperson told ITPro.
"We proactively informed affected e-commerce customers on Friday that the impacted personal data is limited to basic personal identifiers including name and contact details (where this information has been provided). It does not include account passwords or payment details."
The spokesperson added that the stolen data may include marketing and e-commerce labels, such as co-branded Harrods cards, though clarified that "this information is unlikely to be interpreted accurately by an unauthorised third party".
Harrods did not provide further information regarding the content of the message it received from the attackers.
Third-party breaches in retail
Third-party data breaches are a growing threat to the retail sector, with a recent SecurityScorecard report finding retail and hospitality suffered a 52.4% breach rate in 2024.
"Cybercriminals are increasingly targeting third-party suppliers because these vendors often have weaker security defences than the large companies they serve," Dray Agha, senior manager of security operations at Huntress, told ITPro.
"For a prestigious target like Harrods, breaching a smaller supplier is a far easier backdoor than attacking the company's main systems directly. This forces organizations to defend not just themselves, but their entire digital ecosystem."
Agha added that this incident should remind organizations that cybersecurity is only as strong as one's least secure vendor, necessitating strong third-party risk management.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
AWS CEO Matt Garman isn’t convinced AI spells the end of the software industryNews Software stocks have taken a beating in recent weeks, but AWS CEO Matt Garman has joined Nvidia's Jensen Huang and Databricks CEO Ali Ghodsi in pouring cold water on the AI-fueled hysteria.
-
Deepfake business risks are growingIn-depth As the risk of being targeted by deepfakes increases, what should businesses be looking out for?
-
Security experts warn Substack users to brace for phishing attacks after breachNews Substack CEO Christ Best confirmed the incident occurred in October 2025
-
Everything we know so far about the Nike data breachNews Hackers behind the WorldLeaks ransomware group claim to have accessed sensitive corporate data
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
OpenAI hailed for ‘swift move’ in terminating Mixpanel ties after data breach hits developersNews The Mixpanel breach prompted OpenAI to launch a review into its broader supplier ecosystem
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
Red Hat reveals unauthorized access to a GitLab instance where internal data was copiedNews Crimson Collective has claimed the attack, saying it has accessed more than 28,000 Red Hat repositories
-
Google warns executives are being targeted for extortion with leaked Oracle dataNews Extortion emails being sent to executives at large organisations appear to show evidence of a breach involving Oracle's E-Business Suite
-
Kido nursery hackers threaten to release more details – along with the personal data of 100 employeesNews The attack is the first to be claimed by the new threat group 'Radiant'
