Harrods says online customers' data may have been stolen in IT breach via third-party provider

Harrods said on Friday that personal data belonging to some online customers may have been taken in an IT systems breach involving a third-party provider. The information reportedly included names and contact details, but passwords and payment data were not affected. The retailer described the incident in an email to customers as an isolated breach and said the third party has confirmed it has been contained and that it is working with the provider to ensure that all appropriate actions are taken. It added that authorities have been notified.

The company stressed that its own systems had not been compromised and that the breach is not connected to a cyber attack in May, when Harrods restricted internet access across its sites as a precaution after an attempt to gain unauthorized access to its systems.

In May, an attempted intrusion prompted a precautionary tightening of online access; a loosely linked group of hackers who claimed responsibility for that attack also claimed to be behind high-profile intrusions at Marks & Spencer and the Co-op earlier this year. In July the National Crime Agency arrested four people in connection with the hacks; a 20-year-old woman was arrested in Staffordshire, and three males aged 17 to 19 were detained in London and the West Midlands. All have since been released on bail.

Another group claimed responsibility for an August cyber attack that halted the global production lines of Jaguar Land Rover until earlier this week.

Richard Horne, chief executive of the National Cyber Security Centre, said cyber attacks can have real-world consequences and that attackers are growing more capable of causing disruption. He noted that organizations of all sizes must take steps to secure their systems and protect customers, given the increasingly practical impacts of these threats.