Luxury department store Harrods confirmed a cyber breach where attackers stole 430,000 customer records (names, contact details, and marketing tags like tier level or co-branded card affiliations) from a third-party provider’s system. While no payment details or account passwords were compromised, the exposed data poses risks for targeted phishing, social engineering, and identity theft, as evidenced by criminals directly contacting affected customers. Harrods refused to negotiate with the attackers, citing cybersecurity best practices, and is collaborating with the National Cyber Security Centre (NCSC) and Metropolitan Police Cyber Crime Unit for mitigation. The breach was isolated and contained, with no impact on Harrods’ internal systems, but it underscores vulnerabilities in third-party supply chain security. The incident follows an earlier 2024 attack linked to the Scattered Spider group, though unrelated to this breach. Harrods emphasized transparency by notifying affected customers and issuing public statements to maintain trust.
Source: https://www.cxtoday.com/crm/harrods-customers-targeted-after-cyber-attack-on-third-party-vendor/
TPRM report: https://www.rankiteo.com/company/harrods
"id": "har1492214093025",
"linkid": "harrods",
"type": "Breach",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '430,000 (e-commerce customers)',
'industry': 'retail',
'location': 'London, UK (Knightsbridge, Heathrow, '
'Gatwick)',
'name': 'Harrods',
'size': 'large (60+ million annual visitors)',
'type': 'luxury department store'},
{'type': 'third-party provider'}],
'attack_vector': 'third-party provider system compromise',
'customer_advisories': ['Customers were informed that their name, contact '
'details, and marketing tags were exposed.',
'Assured that payment details and passwords were not '
'compromised.',
'Warned about potential phishing/social engineering '
'risks.'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '430,000',
'personally_identifiable_information': ['names',
'contact details '
'(email/phone/address '
'if provided)'],
'sensitivity_of_data': 'moderate (no payment details or '
'passwords, but PII usable for '
'phishing/identity theft)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'marketing metadata']},
'date_detected': '2023-09-26',
'date_publicly_disclosed': '2023-09-26',
'description': 'Luxury department store Harrods confirmed that cyber '
'attackers stole customer data from one of its third-party '
"providers' systems. The breach exposed 430,000 customer "
'records, including names, contact details, and '
'marketing-related tags. Attackers contacted affected '
'customers directly, raising concerns about phishing and '
'identity theft risks. Harrods refused to negotiate with the '
'cybercriminals and is cooperating with authorities, including '
'the NCSC and Metropolitan Police Cyber Crime unit. The breach '
'was contained and deemed an isolated incident, with no '
"compromise of Harrods' internal systems.",
'impact': {'brand_reputation_impact': ['moderate (risk of eroded trust due to '
'third-party breach)',
'mitigated by proactive communication'],
'customer_complaints': 'potential (due to direct contact by '
'attackers)',
'data_compromised': ['customer names',
'contact details',
'marketing tags (e.g., tier level, co-branded '
'card affiliation)'],
'identity_theft_risk': 'high (due to exposed PII)',
'operational_impact': 'limited (isolated to third-party provider)',
'payment_information_risk': 'none (payment details not '
'compromised)',
'systems_affected': ["third-party provider's system"]},
'initial_access_broker': {'data_sold_on_dark_web': 'potential (not confirmed, '
'but attackers contacted '
'customers directly)',
'entry_point': "third-party provider's system",
'high_value_targets': ['customer PII',
'marketing data']},
'investigation_status': 'ongoing (in collaboration with NCSC and Metropolitan '
'Police)',
'lessons_learned': ['Third-party risks are a critical vulnerability in modern '
'customer service ecosystems.',
"Even 'basic' PII (names/contact details) can be highly "
'valuable to cybercriminals for phishing/identity theft.',
'Proactive communication and transparency are essential '
'to maintaining trust during a breach.',
'Refusing to negotiate with attackers aligns with '
'cybersecurity best practices and avoids encouraging '
'further attacks.',
'Security is only as strong as the weakest link in the '
'supply chain.'],
'motivation': ['extortion',
'potential data monetization (e.g., phishing, identity theft)'],
'post_incident_analysis': {'corrective_actions': ['Collaboration with '
'third-party to strengthen '
'security measures.',
'Review of third-party '
'vendor security protocols.',
'Enhanced customer '
'communication strategies '
'for future incidents.'],
'root_causes': ['third-party security '
'vulnerability',
'supply chain risk exposure']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Conduct thorough third-party security assessments and '
'enforce strict vendor risk management policies.',
'Implement continuous monitoring for third-party systems '
'handling customer data.',
'Enhance customer education on phishing risks '
'post-breach.',
"Adopt a 'never pay' ransomware policy and focus on "
'resilience/response capabilities.',
'Follow NCSC guidelines for proactive security measures '
'(e.g., access controls, incident response planning).'],
'references': [{'date_accessed': '2023-09-30', 'source': 'CX Today'},
{'date_accessed': '2023-09-26',
'source': 'Harrods Public Statement'},
{'source': 'National Cyber Security Centre (NCSC) Warning (May '
'2023)',
'url': 'https://www.ncsc.gov.uk'}],
'regulatory_compliance': {'regulatory_notifications': ['likely (given UK GDPR '
'obligations)']},
'response': {'communication_strategy': ['proactive customer notification '
'(September 26)',
'public statements (September 28, 30)',
'transparency about data exposed'],
'containment_measures': ['isolated incident confirmed by '
'third-party provider',
'collaboration with third-party to '
'ensure appropriate actions'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['National Cyber Security Centre '
'(NCSC)',
'Metropolitan Police Cyber Crime '
'unit']},
'stakeholder_advisories': ['public statements issued',
'direct notifications to affected customers'],
'title': 'Harrods Third-Party Data Breach Affecting 430,000 Customer Records',
'type': ['data breach', 'third-party compromise']}