Harrods third-party breach exposes 430,000 customer records, hackers reach out

Ax Sharma October 1, 2025 0
building wrapped with string lights during night time

Photo by Mehdi Faez on <a href="https://www.pexels.com/photo/building-wrapped-with-string-lights-during-night-time-10142075/" rel="nofollow">Pexels.com</a>

London’s iconic department store Harrods has disclosed that approximately 430,000 customer records were compromised in a cybersecurity incident affecting a third-party provider. The breach was first revealed in its communications with impacted users and corroborated by media coverage, including the BBC.

Personal information exposed

The data accessed by threat actors primarily consists of basic personal identifiers: names, email addresses, phone numbers, and postal addresses. Some records also included marketing and profile metadata (e.g., customer tags, loyalty card status) linked to Harrods’ e-commerce operations. Crucially, Harrods states that no passwords, payment card data, or order histories were taken.

“Our focus remains on informing and supporting our customers. We have informed all relevant authorities and will continue to co-operate with them,” stated a Harrods spokesperson.

The spokesperson further said that some data linked to marketing preferences, loyalty programs, and partnerships — including Harrods-branded cards — was also accessed, but added that “this information is unlikely to be interpreted accurately by an unauthorised third party.”

Since most Harrods customers shop in-store, the breach is believed to have impacted only a relatively small share of its clientele.

“We would like to reiterate that no payment details or order history information has been accessed and the impacted personal data remains limited to basic personal identifiers as advised previously,” they said.

Harrods insists that its internal systems were not breached and that the incident was isolated to its vendor’s infrastructure.

Careful with phishing attempts

Affected customers should be on the lookout for unsolicited communications appearing to come from the department store, as these could instead be initiated by threat actors and phishers attempting to target you. Customers should also keep an eye on bank statements and credit reports in case attackers use stolen identifiers in broader fraud schemes.

Always validate legitimacy before responding to online, phone, or text message requests for “verification” or “reconfirmation” of data, before you provide personal information. Identity monitoring or data breach monitoring services may be valuable, especially if you suspect your data was among the exposed set.

About the author

Ax Sharma

Ax Sharma is a UK-based security researcher, journalist and TV subject matter expert experienced in malware analysis and cybercrime investigations. His areas of interest include open source software security and threat intel analysis. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

See author's posts

More Stories

westjet-airplane

WestJet confirms customer ID, passports stolen in June cyberattack

Ax Sharma October 1, 2025 0
a close up of a red and black flag

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

Security Report News December 30, 2023 0
man wearing red hoodie

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

Security Report News December 29, 2023 0

Leave a Reply