In a recent cybersecurity incident, luxury department store Harrods has reported a significant data breach affecting approximately 430,000 customer records. The breach resulted from a security failure at an unnamed third-party provider, rather than Harrods’ internal systems. This event underscores the growing risks associated with supply chain vulnerabilities in the retail sector.
Details of the Breach
On September 26, 2025, Harrods began notifying affected customers via email about the breach. The compromised data includes names and contact details provided by customers, as well as information related to marketing preferences, loyalty program status, and affiliations with Harrods’ co-branded credit cards. Importantly, the company has assured that no financial information, such as payment card details or account passwords, was accessed during the incident.
A Harrods spokesperson noted that the marketing-related data is unlikely to be interpreted accurately by an unauthorized third party. The breach is understood to have affected a small proportion of the store’s total clientele, as the majority of Harrods customers shop in-store rather than online.
Response and Mitigation Efforts
In response to the incident, Harrods has proactively informed affected e-commerce customers and notified all relevant authorities, including the Information Commissioner’s Office (ICO), in compliance with UK General Data Protection Regulation (GDPR) requirements. The company emphasized its commitment to customer security, stating, Our focus remains on informing and supporting our customers. We have informed all relevant authorities and will continue to cooperate with them.
The hackers behind the attack have contacted Harrods, but the retailer has stated it will not engage with the threat actor, suggesting a potential ransom demand was made.
Context and Industry Implications
This security event is separate from a previous cyberattack attempt on Harrods’ internal systems in May 2025. That earlier incident, part of a wider series of attacks on UK retailers like Marks & Spencer and Co-op, prompted Harrods to restrict internet access as a precaution but did not result in a data compromise at the time.
The recent breach highlights a growing trend of cybercriminals targeting supply chain partners as a weaker link to access data from major corporations. Customers of Harrods’ online store are advised to be vigilant against potential phishing and social engineering attempts.
