Harrods third-party breach exposes 430,000 customer records, hackers reach out

London’s iconic department store Harrods has disclosed that approximately 430,000 customer records were compromised in a cybersecurity incident affecting a third-party provider. The breach was first revealed in its communications with impacted users and corroborated by media coverage, including the BBC.

Personal information exposed

The data accessed by threat actors primarily consists of basic personal identifiers: names, email addresses, phone numbers, and postal addresses. Some records also included marketing and profile metadata (e.g., customer tags, loyalty card status) linked to Harrods’ e-commerce operations. Crucially, Harrods states that no passwords, payment card data, or order histories were taken.

“Our focus remains on informing and supporting our customers. We have informed all relevant authorities and will continue to co-operate with them,” stated a Harrods spokesperson.

The spokesperson further said that some data linked to marketing preferences, loyalty programs, and partnerships — including Harrods-branded cards — was also accessed, but added that “this information is unlikely to be interpreted accurately by an unauthorised third party.”

Since most Harrods customers shop in-store, the breach is believed to have impacted only a relatively small share of its clientele.

“We would like to reiterate that no payment details or order history information has been accessed and the impacted personal data remains limited to basic personal identifiers as advised previously,” they said.

Harrods insists that its internal systems were not breached and that the incident was isolated to its vendor’s infrastructure.

Careful with phishing attempts

Affected customers should be on the lookout for unsolicited communications appearing to come from the department store, as these could instead be initiated by threat actors and phishers attempting to target you. Customers should also keep an eye on bank statements and credit reports in case attackers use stolen identifiers in broader fraud schemes.

Always validate legitimacy before responding to online, phone, or text message requests for “verification” or “reconfirmation” of data, before you provide personal information. Identity monitoring or data breach monitoring services may be valuable, especially if you suspect your data was among the exposed set.