Harrods says customer data stolen in IT breach

Harrods says personal data belonging to some online customers may have been accessed in an IT systems breach tied to a third-party provider, with information such as names and contact details potentially taken from the provider’s systems. In an email sent to customers on Friday evening, the luxury department store said the information was taken from the third party’s systems, not from Harrods’ own network. The retailer stressed that no passwords or payment details were compromised and described the incident as an isolated one that has been contained. It said the third party has confirmed the breach is isolated and that it is working closely with them to take all appropriate actions. Harrods noted that its own systems were not breached and said the incident is not connected to a cyber attack in May, when it restricted internet access across its sites as a precaution after an attempted unauthorised entry to its systems.

The May incident involved an attempted intrusion into Harrods’ systems, after which the retailer restricted internet access across its sites. A Harrods spokesperson said the breach being disclosed now is separate from that event, and that the company continues to cooperate with the third party and with authorities to assess the scope and impact of the data exposure. The firm’s statement emphasizes that the data involved was limited to names and contact details rather than secure financial information, aiming to reassure customers and minimize potential misuse while investigators review the case.

The disclosure comes amid a broader pattern of cyber activity linked to loosely connected hacker groups that have targeted multiple retailers and manufacturers in recent months. A group that claimed responsibility for the May attack also asserted involvement in high‑profile breaches at Marks & Spencer and the Co‑op earlier this year. In July, the National Crime Agency arrested four people in connection with those hacks: a 20-year-old woman was arrested in Staffordshire, and three males aged 17 to 19 were detained in London and the West Midlands. All have since been released on bail, according to authorities.

Industry observers note the pattern of arrests highlights the ongoing law enforcement focus on retail and consumer-facing operations as attackers increasingly exploit third‑party access, supply chains, and online platforms. The incidents have fed concerns about how well organizations monitor third‑party relationships and how quickly they can detect and contain breaches that originate outside their own networks. Harrods’ emphasis on the incident being isolated suggests that internal controls and vendor oversight may have limited the breach’s reach, but officials acknowledge that even small data exposures can have real-world consequences for customers.

Another group that has claimed responsibility for the May attacks also asserted responsibility for an August incident that disrupted Jaguar Land Rover’s global production lines until earlier this week, according to security researchers and authorities cited in the coverage of the case. While none of these claims has been independently verified in every instance, the pattern of aggressive cyber activity around the retail and manufacturing sectors underlines the persistent threat actors pose to companies that operate complex digital ecosystems and rely on external partners for elements of their IT infrastructure.

Richard Horne, chief executive of the National Cyber Security Centre, said cyber attacks may sound theoretical and technical, but they have real-world impact on real people. 'Increasingly the attackers are getting good at causing those impacts, they’re refining their techniques,' Horne told BBC Radio 4’s Today programme. 'These criminal attackers... they don’t care who they hit, and they don’t care how they hurt them. All organisations, big and small, regardless of whether you think of yourself as critical to the nation or not, to protect you and to protect your customers there are things that have to be done to secure your system.' The remarks underscore the growing imperative for robust cyber defenses, including scrutiny of third‑party access, rapid breach detection, and coordinated response protocols across sectors.

As Harrods and other firms review the specifics of these incidents, authorities and cybersecurity officials continue to stress the need for ongoing vigilance. For now, Harrods has said it is assisting the third party provider and authorities to determine the full extent of the exposure and to implement any required actions to prevent recurrence. The episode serves as a reminder to consumers that personal data can be at risk even when the breach originates outside a company’s own networks, and it reinforces the importance of layered security measures, incident response planning, and transparent communication with customers during and after a breach.