Breaches

Harrods third-party breach exposes 430,000 customer records, hackers reach out

London’s iconic department store Harrods has disclosed that approximately 430,000 customer records were compromised in a cybersecurity incident affecting a third-party provider. The breach was first revealed in its communications with impacted users and corroborated by media coverage, including the BBC.

Personal information exposed

The data accessed by threat actors primarily consists of basic personal identifiers: names, email addresses, phone numbers, and postal addresses. Some records also included marketing and profile metadata (e.g., customer tags, loyalty card status) linked to Harrods’ e-commerce operations. Crucially, Harrods states that no passwords, payment card data, or order histories were taken.

“Our focus remains on informing and supporting our customers. We have informed all relevant authorities and will continue to co-operate with them,” stated a Harrods spokesperson.

The spokesperson further said that some data linked to marketing preferences, loyalty programs, and partnerships — including Harrods-branded cards — was also accessed, but added that “this information is unlikely to be interpreted accurately by an unauthorised third party.”

Since most Harrods customers shop in-store, the breach is believed to have impacted only a relatively small share of its clientele.

“We would like to reiterate that no payment details or order history information has been accessed and the impacted personal data remains limited to basic personal identifiers as advised previously,” they said.

Harrods insists that its internal systems were not breached and that the incident was isolated to its vendor’s infrastructure.

Careful with phishing attempts

Affected customers should be on the lookout for unsolicited communications appearing to come from the department store, as these could instead be initiated by threat actors and phishers attempting to target you. Customers should also keep an eye on bank statements and credit reports in case attackers use stolen identifiers in broader fraud schemes.

Always validate legitimacy before responding to online, phone, or text message requests for “verification” or “reconfirmation” of data, before you provide personal information. Identity monitoring or data breach monitoring services may be valuable, especially if you suspect your data was among the exposed set.

Ax Sharma

Ax Sharma is a UK-based security researcher, journalist and TV subject matter expert experienced in malware analysis and cybercrime investigations. His areas of interest include open source software security and threat intel analysis. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

US Air Force Probes Potential SharePoint-Linked Privacy Breach

The US Air Force is investigating a “privacy-related issue” that may have exposed personally identifiable…

1 minute ago

WestJet confirms customer ID, passports stolen in June cyberattack

WestJet confirmed that in a June 2025 cybersecurity incident, a “sophisticated, criminal third party” gained…

2 days ago

Did You Also Get a ‘Real’ Phishing Email From GitHub.com?

Imagine getting an email straight from GitHub’s own notification system: the same one you've trusted…

5 days ago

World’s Largest Supply Chain Cyber Attack… And just 5 Cents Stolen?

You probably saw the headlines: the world’s largest npm supply chain attack, chalk and debug-js…

7 days ago

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

2 years ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

2 years ago

This website uses cookies.