430,000 Harrods Customer Records Exposed in Supply Chain Attack

Luxury department store Harrods has reported a cybersecurity incident affecting approximately 430,000 customers. The breach was traced back to a third-party provider whose systems were compromised, leading to the exposure of sensitive e-commerce customer records.

The stolen data includes names, contact details, and internally used marketing labels tied to Harrods’ services and loyalty programs. While the company emphasized that no payment data, passwords, or order histories were affected, the leak still raises concerns about the security of customer data in complex retail ecosystems.

Harrods clarified that this breach is unrelated to the attempted attack it suffered in May, which was linked to the notorious hacking group Scattered Spider. Unlike the earlier incident, the current breach involves indirect exposure due to vulnerabilities in an external partner.

The company has proactively contacted customers and notified appropriate authorities.

Why It Matters: The Harrods breach is yet another example of how vulnerabilities in a company’s extended digital supply chain can lead to major data compromises, even when internal systems are secure. As retailers continue to face heightened cyber threats, similar incidents highlight the need for stronger third-party vendor oversight and broader coordination in cybersecurity defense.

• Third-Party Vendor Breach at the Core of the Incident: Harrods attributed the breach to a cybersecurity incident at an undisclosed third-party supplier. This type of supply chain vulnerability is becoming increasingly common in large-scale cyberattacks, and early indications suggest it may be linked to the broader Salesloft OAuth token compromise. That attack has impacted multiple companies by allowing hackers to pivot into Salesforce environments, showing interconnected platforms can amplify the reach of a single breach.

• Customer Data Exposed Includes Internal Marketing Labels: While the breach did not expose sensitive financial or login information, it did involve a wide range of personally identifiable information and internal tags used by Harrods for marketing and customer segmentation, such as tier level, loyalty program affiliation, and usage of co-branded cards. Though Harrods claims this data is unlikely to be useful to outsiders, its exposure could still facilitate phishing or impersonation attempts.

• Direct Contact and Extortion Attempts: Following the breach, the attackers reportedly contacted Harrods directly, likely intending to demand ransom or initiate extortion. Harrods has publicly stated that it will not engage with the threat actors and has chosen to focus on customer communication and cooperation with authorities. This type of behavior is common in ransomware and data theft operations, where breaches are often followed by direct negotiations or public data dumps.

• Part of a Broader Wave of UK Retail Cyberattacks: Harrods’ breach is part of a broader surge of cyberattacks targeting major UK businesses such as Co-Op, M&S, and Jaguar Land Rover. In each case, companies have suffered varying degrees of disruption and financial loss, with Co-op reporting a £206 million hit to sales and M&S estimating £300 million in lost profit. These incidents signal growing coordination among cybercriminal groups and an urgent need for sector-wide defense strategies.

• Harrods’ Response Focuses on Containment and Transparency: Harrods has notified affected customers via email and is working closely with data protection authorities to manage the incident. The company emphasized that its internal systems remain secure and that the breach is confined to data managed by an external vendor. Customers are being advised to stay vigilant for phishing emails or fraudulent messages claiming to come from Harrods, especially given the nature of the leaked data.

Go Deeper -> Harrods suffers new data breach exposing 430,000 customer records – BleepingComputer

Hackers contact Harrods after 430,000 customer records hit by IT breach – BBC