Harrods confirms data breach affecting online customers; third-party provider implicated
Isolated incident; no passwords or payment data compromised; authorities notified; linked to broader cyberattack activity and arrests
Harrods has warned that personal data from some online customers may have been taken in an IT systems breach, potentially affecting information such as names and contact details held by a third-party provider.
The retailer said the incident was an isolated one, contained, and that no passwords or payment details were compromised. It added that the third party has confirmed the breach is isolated and that appropriate actions are being taken. Harrods said its own systems had not been breached and that the incident is not connected to a separate cyber attack in May, which prompted the retailer to restrict internet access across its sites as a precaution after an attempt to gain unauthorized entry.
A loosely linked group of hackers that claimed responsibility for the May attack also asserted they were behind high-profile intrusions at Marks & Spencer and the Co-operative Group earlier this year. In July, the National Crime Agency arrested four people in connection with the hacks: a 20-year-old woman was arrested in Staffordshire, and three males aged 17 to 19 were detained in London and the West Midlands. All have since been released on bail.
The episode comes as security officials have warned that cyber threats are evolving in scale and sophistication. Richard Horne, chief executive of the National Cyber Security Centre, said cyber attacks may sound theoretical and technical, but they have real-world impact on real people. He urged organizations to strengthen defenses, noting that attackers “are refining their techniques” and that protection is required across all sizes of operation to guard systems and customers alike.
Another group claimed responsibility for an August cyberattack that halted the global production lines of Jaguar Land Rover until earlier this week, underscoring the broad reach of disruptive cyber activity. The incidents collectively illustrate how third-party relationships can become a vector for data exposure and operational disruption, prompting continued scrutiny by regulators and security agencies as represented by ongoing investigations and public warnings from authorities.