Harrods says online customer data stolen in IT breach; passwords and payment details not affected
The luxury retailer says a third-party provider's systems were breached, with names and contact details exposed for some online customers; authorities notified and investigation ongoing
Harrods said on Friday that personal data belonging to some online customers may have been taken in an IT systems breach involving a third-party provider. The information reportedly included names and contact details; Harrods said passwords and payment details were not taken. The retailer described the incident as isolated, contained, and said it is working with the third party to take appropriate actions. Authorities have been notified.
Harrods added that its own systems had not been compromised, and that the breach is not connected to the May cyber attack when it restricted internet access across its sites as a precaution after an attempt to gain unauthorized access to its systems. A spokesman for Harrods said the breach was limited to the third party's environment and that there is no evidence the retailer's core networks were affected.
Details of the breach come as investigators have tied a loosely linked group to other cyber incidents. The same group claimed responsibility for high-profile attacks on Marks & Spencer and the Co-op earlier this year. In July, the National Crime Agency arrested four people in connection with those hacks; a 20-year-old woman was arrested in Staffordshire, and three men aged 17 to 19 were detained in London and the West Midlands. All have since been released on bail.
Cyber security officials have warned that attackers are increasingly capable of causing real-world harm. Richard Horne, chief executive of the National Cyber Security Centre, told BBC Radio 4's Today programme that cyber attacks may sound theoretical but have real-world impact on ordinary people. He said attackers are refining their techniques and urged organizations of all sizes to take steps to secure their systems to protect customers.
Harrods said it remains in contact with the third-party provider and will keep customers updated as actions are taken. The retailer stressed that the breach involved third-party systems and that no passwords or payment details were accessed, but said data such as names and contact details may have been exposed for some online customers.
Beyond Harrods, the incident underscores ongoing cybersecurity risks facing retailers and other businesses that rely on external IT services. The group behind the May attack and its purported affiliates have drawn attention to the vulnerability of supply chains and third-party partners, underscoring why authorities have pressed for stronger security standards across the sector.
Separately, reports from the period note that another cyber incident in August affected Jaguar Land Rover's manufacturing operations; a different group claimed responsibility for disrupting JLR's production lines earlier this week, illustrating how attacker networks can appear across industries.