Harrods says online customer data may have been taken in IT breach; passwords and payments not affected
Personal data such as names and contact details may have been exposed in a breach tied to a third-party provider. Harrods says its own systems were not compromised and no passwords or payment details were taken; authorities have been not…
Harrods said the personal data of some online customers may have been taken from the systems of a third-party provider in an IT breach, including names and contact details. The retailer said its own systems were not compromised and that no passwords or payment details were taken.
In an email sent to customers on Friday evening, Harrods described the breach as an 'isolated incident' that has been contained, and said it is working closely with the third party to ensure that all appropriate actions are being taken. 'The third party has confirmed this is an isolated incident which has been contained, and we are working closely with them to ensure that all appropriate actions are being taken. We have notified all relevant authorities,' the message said.
Harrods also said its own system had not been compromised and that the breach is not connected to a cyber attack in May, when it restricted internet access across its sites as a precaution after an attempt to gain unauthorized access. The May incident was linked, in public summaries, to a loosely connected group of hackers that claimed responsibility for earlier high-profile hacks on Marks & Spencer and the Co-op.
In July, the National Crime Agency arrested four people in connection with those hacks: a 20-year-old woman was arrested in Staffordshire and three males aged 17 to 19 were detained in London and the West Midlands. All have since been released on bail. Separately, another group claimed responsibility for an August cyber attack that halted Jaguar Land Rover's global production lines until earlier this week.
Richard Horne, chief executive of the National Cyber Security Centre, said cyber attacks may sound theoretical and technical, but have real-world impact on real people. 'Increasingly the attackers are getting good at causing those impacts, they're refining their techniques,' he told BBC Radio 4's Today programme. 'These criminal attackers... they don't care who they hit, and they don't care how they hurt them. All organisations, big and small, regardless of whether you think of yourself as critical to the nation or not, to protect you and to protect your customers there are things that have to be done to secure your system.'
The breach underscores the ongoing risk to consumers and retailers as cyber threats evolve, and the need for robust vendor management and threat monitoring across supply chains.