Harrods says online customer data stolen in IT breach tied to third-party provider
Passwords and payment data were not compromised; Harrods calls the incident isolated and contained, as authorities are notified and the retailer cooperates with the third-party provider.
Harrods has warned that personal data of some online customers may have been taken in an IT breach affecting the systems of a third-party provider. The retailer said information such as names and contact details was exposed, but that no passwords or payment data were compromised and the breach appeared to be limited to the third party's environment.
Harrods said in an email to customers on Friday night that the incident has been contained and described as an "isolated incident." It said the third party has confirmed the breach is contained and that Harrods is working with the provider to take appropriate actions and has notified relevant authorities. The retailer emphasized that its own systems were not compromised and that the breach is not connected to the cyber attack in May that led Harrods to restrict internet access across its sites as a precaution.
A loosely linked group of hackers that claimed responsibility for the May breach also asserted links to high-profile hacks on Marks & Spencer and the Co-op earlier this year. In July, the National Crime Agency arrested four people in connection with those hacks — a 20-year-old woman arrested in Staffordshire and three men aged 17 to 19 detained in London and the West Midlands. All have since been released on bail.
An August cyber operation claimed to have disrupted Jaguar Land Rover's production lines until earlier this week. Richard Horne, chief executive of the National Cyber Security Centre, said cyber attacks may sound theoretical and technical, but have real-world impact on real people. "Increasingly the attackers are getting good at causing those impacts, they're refining their techniques," he told BBC Radio 4's Today programme. "All organisations, big and small, regardless of whether you think of yourself as critical to the nation or not, to protect you and to protect your customers there are things that have to be done to secure your system."
The incident underscores ongoing risk to retailers that rely on third-party services and the broader supply chain, even as individual companies reiterate that their own networks remain secure and that authorities continue to investigate and monitor potential threats.