Harrods, the luxury department store, suffered a data breach where the personal details of **430,000 customers** were exposed after a **third-party provider system was compromised**. The leaked information includes **names, contact details, and marketing-related labels** (e.g., tier level or co-branded card affiliation), but **no passwords or payment details** were accessed. The breach originated from an external vendor, not Harrods' direct systems, and follows an earlier attempted attack in May, which prompted the retailer to restrict internet access as a precaution.The threat actor behind the breach **contacted Harrods**, but the company **refused to engage or negotiate**. While the exposed data is limited to basic identifiers, the scale of the breach (affecting nearly half a million customers) and the involvement of a **criminal group**—previously linked to attacks on Marks & Spencer and the Co-op—heighten concerns. Four individuals (aged 17–20) were arrested in July on suspicion of **blackmail, money laundering, and organized cybercrime**, though investigations remain ongoing.Harrods proactively notified affected e-commerce customers, emphasizing that the compromised data poses **low financial risk** but could enable **targeted phishing or spam campaigns**. The incident underscores vulnerabilities in third-party supply chains and the growing threat of **large-scale customer data exposure** in retail cyberattacks.
Source: https://sg.news.yahoo.com/harrods-not-engaging-hackers-behind-081535726.html
TPRM report: https://www.rankiteo.com/company/harrods
"id": "har1632416092925",
"linkid": "harrods",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '430,000',
'industry': 'Retail',
'location': 'London, United Kingdom',
'name': 'Harrods',
'type': 'Retailer (Luxury Department Store)'}],
'attack_vector': ['Third-Party Vulnerability', 'Unauthorized Access'],
'customer_advisories': ['Proactive notification to affected e-commerce '
'customers (September 6, 2024) regarding exposed data '
'(names, contact details, marketing labels) and '
'reassurance that passwords/payment details were not '
'compromised.'],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '430,000',
'personally_identifiable_information': ['Names',
'Contact Details'],
'sensitivity_of_data': 'Moderate (names, contact details, '
'non-sensitive marketing labels; no '
'passwords or payment data)',
'type_of_data_compromised': ['Personal Identifiers',
'Marketing Labels']},
'date_publicly_disclosed': '2024-09-08',
'description': 'Harrods, a luxury department store, confirmed that the '
'personal details of 430,000 customers were exposed in a data '
'breach after a third-party provider system was compromised. '
'The exposed data includes names, contact details, and '
'marketing-related labels (e.g., tier level or co-branded card '
'affiliation), but not passwords or payment details. Harrods '
'has vowed not to engage with the threat actor responsible. '
'The incident is unrelated to earlier attempts to breach '
"Harrods' systems in 2024. In May, Harrods restricted internet "
'access across its sites as a precautionary measure following '
'a separate attempted breach. Four individuals, including two '
'19-year-old men, a 17-year-old boy, and a 20-year-old woman, '
'were arrested in July on suspicion of involvement in cyber '
'attacks against Harrods, Marks & Spencer, and the Co-op, with '
'charges including blackmail, money laundering, and Computer '
'Misuse Act offenses.',
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'exposure of customer data and refusal '
'to engage with hackers'],
'data_compromised': ['Names',
'Contact Details',
'Marketing Labels (e.g., tier level, '
'co-branded card affiliation)'],
'identity_theft_risk': ['Low (no passwords or payment details '
'exposed, but names and contact details '
'compromised)'],
'operational_impact': ['Restricted internet access across sites '
'(May 2024, precautionary measure)'],
'payment_information_risk': 'None',
'systems_affected': ['Third-Party Provider System']},
'initial_access_broker': {'entry_point': ['Third-Party Provider System']},
'investigation_status': 'Ongoing (arrestees bailed pending further inquiries '
'as of July 2024)',
'motivation': ['Blackmail', 'Data Theft', 'Potential Financial Gain'],
'post_incident_analysis': {'root_causes': ['Third-party vendor compromise']},
'ransomware': {'data_exfiltration': 'Yes (data breach confirmed)',
'ransom_paid': 'No (Harrods refused to engage with threat '
'actor)'},
'references': [{'date_accessed': '2024-09-08', 'source': 'ITV News'},
{'source': 'National Crime Agency (NCA) Press Release (July '
'2024 arrests)'}],
'regulatory_compliance': {'legal_actions': ['Arrests made under suspicion of '
'blackmail, money laundering, '
'Computer Misuse Act offenses, '
'and organized crime group '
'participation']},
'response': {'communication_strategy': ['Public statement (September 8, '
'2024), proactive notification to '
'affected e-commerce customers '
'(September 6, 2024)'],
'containment_measures': ['Restricted internet access across '
'sites (May 2024)'],
'incident_response_plan_activated': 'Yes (proactive customer '
'notification, internet '
'access restrictions in May '
'2024)',
'law_enforcement_notified': 'Yes (National Crime Agency '
'involved; arrests made in July '
'2024)'},
'threat_actor': ['Unknown (suspected organized crime group)',
'Four individuals arrested (two 19-year-old men, one '
'17-year-old boy, one 20-year-old woman)'],
'title': 'Harrods Data Breach Exposes Personal Details of 430,000 Customers',
'type': ['Data Breach', 'Third-Party Compromise']}