Harrods says customers' data stolen in IT breach

Luxury department store Harrods said on Friday that personal data belonging to some online customers may have been stolen in an IT breach involving a third-party provider. The information, including names and contact details, was taken from the third party's systems but Harrods said no passwords or payment details were compromised.

In an email to customers, Harrods described the incident as 'isolated' and said the third party has confirmed the breach has been contained. Harrods said it is working with the provider to take appropriate actions and has notified all relevant authorities. A Harrods spokesman said the company's own systems were not breached and that the incident is not connected to a May cyber attack when internet access across Harrods sites was restricted as a precaution after an unauthorized access attempt.

The May incident and the alleged hacks tied to the same loosely affiliated group have figured in UK cybercrime investigations. In July, the National Crime Agency arrested four people in connection with those hacks; a 20-year-old woman was arrested in Staffordshire and three males, aged 17 to 19, were detained in London and the West Midlands. All were released on bail.

Another group claimed responsibility for an August cyber attack that halted Jaguar Land Rover production lines until earlier this week.

Richard Horne, chief executive of the National Cyber Security Centre, told BBC Radio 4 that cyber attacks may sound theoretical and technical, but have real-world impact on real people. 'Increasingly the attackers are getting good at causing those impacts,' he said, adding that 'these criminal attackers... they don't care who they hit, and they don't care how they hurt them.' He urged organizations to protect their systems to safeguard customers.