Harrods says customers' data stolen in IT breach, store describes incident as isolated

Harrods said customers’ personal data may have been taken in an IT-systems breach involving a third-party provider, according to an email sent to online customers on Friday evening.

The data reportedly included the names and contact details of some online shoppers, while Harrods said passwords and payment information were not taken. The retailer said: "The third party has confirmed this is an isolated incident which has been contained, and we are working closely with them to ensure that all appropriate actions are being taken. We have notified all relevant authorities."

Harrods stressed that its own systems were not compromised and that the breach is not connected to the cyber attack in May, when the store restricted internet access across its sites after an attempt to gain unauthorised access to its systems.

A loosely linked group of hackers who claimed responsibility for that May attack also claimed responsibility for high-profile breaches at Marks & Spencer and the Co-op earlier this year. In July the National Crime Agency arrested four people in connection to the hacks: a 20-year-old woman was arrested in Staffordshire, and three males—aged 17 to 19—were detained in London and the West Midlands. All have since been released on bail.

Richard Horne, chief executive of the National Cyber Security Centre, said cyber attacks may sound theoretical and technical, but have "real world impact on real people." "Increasingly the attackers are getting good at causing those impacts," he said. "All organisations, big and small, regardless of whether you think of yourself as critical to the nation or not, to protect you and to protect your customers there are things that have to be done to secure your system."

Harrods said it would continue to monitor the situation and cooperate with authorities as investigations proceed.