Harrods has confirmed contact with the hackers behind a recent cyber attack, in which a third-party provider was breached and the 430,000 customer records were stolen, adding that it has refused to engage with them.
The luxury department store warned customers of an "isolated incident" on 26 September, in an email that also saw it explain that while information such as some customer names and contact details had been stolen, no passwords or payment information had been affected.
At the time, it also asserted that the incident had been contained and that all relevant authorities had been notified.
This will include the Information Commissioner's Office (ICO), which under UK GDPR must be informed whenever UK organizations suffer a data breach that are likely to affect individuals' rights or freedoms.
Harrods has not named the third-party provider and declined to do so when asked by ITPro.
This is the second time this year that Harrods has been involved in a cyber incident. It was previously hit with a cyber attack in May, amid a spate of attacks on UK retailers, including Marks and Spencer Group (M&S) and the Co-operative Group Limited.
At the time Harrods reacted by restricting internet access at its sites, to keep attackers from breaching its systems.
In a statement to ITPro, Harrods said the new attack disclosed on Friday was not connected to the May attempted attack and had not resulted in hackers accessing its internal systems.
"We have received communications from the threat actor and will not be engaging with them," a spokesperson told ITPro.
"We proactively informed affected e-commerce customers on Friday that the impacted personal data is limited to basic personal identifiers including name and contact details (where this information has been provided). It does not include account passwords or payment details."
The spokesperson added that the stolen data may include marketing and e-commerce labels, such as co-branded Harrods cards, though clarified that "this information is unlikely to be interpreted accurately by an unauthorised third party".
Harrods did not provide further information regarding the content of the message it received from the attackers.
Third-party breaches in retail
Third-party data breaches are a growing threat to the retail sector, with a recent SecurityScorecard report finding retail and hospitality suffered a 52.4% breach rate in 2024.
"Cybercriminals are increasingly targeting third-party suppliers because these vendors often have weaker security defences than the large companies they serve," Dray Agha, senior manager of security operations at Huntress, told ITPro.
"For a prestigious target like Harrods, breaching a smaller supplier is a far easier backdoor than attacking the company's main systems directly. This forces organizations to defend not just themselves, but their entire digital ecosystem."
Agha added that this incident should remind organizations that cybersecurity is only as strong as one's least secure vendor, necessitating strong third-party risk management.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Kido nursery hackers threaten to release more details – along with the personal data of 100 employeesNews The attack is the first to be claimed by the new threat group 'Radiant'
-
TP-Link UK&I names Ben Allcock as vice president of B2Bnews Company veteran is tasked with spearheading B2B growth efforts and deepening partner collaboration across the region
-
Kido nursery hackers threaten to release more details – along with the personal data of 100 employees
News The attack is the first to be claimed by the new threat group 'Radiant'
-
Air France and KLM confirm customer data stolen in third-party breachNews A spokesperson told ITPro the airlines are investigating "fraudulent access" to customer data following a third-party breach.
-
Average Brit hit by five data breaches since 2004News While the number of breaches has fallen, the UK has been the worst-hit country in Northern Europe since 2004
-
Personal data taken in Oxford City Council cyber attacknews The personal data of election workers has been accessed, but the council says it moved quickly to limit the effects of the breach
-
Supplier hack leaks UBS data – including CEO's phone numberNews Chain IQ incident could hit Swiss banking sector hard in "grim reminder" of risk of third-party breaches
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
More than 5 million Americans just had their personal information exposed in the Yale New Haven Health data breach – and lawsuits are already rolling inNews A data breach at Yale New Haven Health has exposed data belonging to millions of people – and lawsuits have already been filed.
