Harrods

Luxury London-based retailer Harrods confirmed a cybersecurity breach in September 2025, where criminals stole 430,000 customers' data from a compromised third-party supplier. The exposed information includes basic personal details (names, contact details), marketing-related data (membership tier levels, Harrods co-branded card affiliations), but no passwords or financial data. While Harrods stated the stolen marketing data was unlikely to be accurately interpreted by attackers, the breach still poses reputational and operational risks. The company refused to name the affected supplier but assured customers that its own systems remained uncompromised. Harrods also confirmed direct communication from the threat actor, though it declined to engage. This incident is separate from an earlier 2025 attack linked to the Scattered Spider hacking group, which targeted multiple UK retailers. Authorities were notified, and Harrods emphasized its focus on customer support and cooperation with investigations. The breach highlights vulnerabilities in third-party supply chains, raising concerns over data protection compliance and customer trust.

Source: https://www.theregister.com/2025/09/29/harrods_blames_thirdparty_supplier_after/

TPRM report: https://www.rankiteo.com/company/harrods

"id": "har1732117092925",
"linkid": "harrods",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '430,000',
                        'industry': 'luxury retail',
                        'location': 'London, UK',
                        'name': 'Harrods',
                        'type': 'retailer'}],
 'attack_vector': 'third-party supplier breach',
 'customer_advisories': ['notifications sent to 430,000 affected customers'],
 'data_breach': {'data_exfiltration': True,
                 'number_of_records_exposed': '430,000',
                 'personally_identifiable_information': ['names',
                                                         'contact details',
                                                         'membership tier '
                                                         'levels',
                                                         'co-branded card '
                                                         'affiliation'],
                 'sensitivity_of_data': 'moderate (no financial/password data)',
                 'type_of_data_compromised': ['personal identifiable '
                                              'information (PII)',
                                              'marketing data']},
 'date_publicly_disclosed': '2025-09-26',
 'description': 'Luxury London-based retailer Harrods confirmed a '
                'cybersecurity incident where criminals stole 430,000 '
                "customers' data through a breach at one of its third-party "
                'suppliers. The compromised data includes basic personal '
                'details (names, contact information) and marketing-related '
                'data (membership tier levels, co-branded card affiliation), '
                'but excludes passwords and financial information. Harrods '
                'stated its own systems were not targeted and refused to name '
                'the supplier. The threat actor contacted Harrods, but the '
                'company declined engagement. Authorities were notified, and '
                'the incident is separate from an earlier 2025 attack linked '
                'to Scattered Spider.',
 'impact': {'brand_reputation_impact': 'potential reputational harm (second '
                                       'incident in 2025)',
            'data_compromised': ['basic personal details (names, contact '
                                 'information)',
                                 'marketing-related data (membership tier '
                                 'levels, Harrods co-branded card '
                                 'affiliation)'],
            'identity_theft_risk': 'low (no financial/password data exposed)',
            'payment_information_risk': 'none (no financial data compromised)',
            'systems_affected': ['third-party supplier systems']},
 'initial_access_broker': {'entry_point': 'third-party supplier'},
 'investigation_status': 'ongoing (authorities cooperating)',
 'post_incident_analysis': {'root_causes': ['third-party supplier '
                                            'vulnerability']},
 'ransomware': {'data_exfiltration': True},
 'references': [{'source': 'The Register'}],
 'regulatory_compliance': {'regulatory_notifications': ['relevant authorities '
                                                        'notified']},
 'response': {'communication_strategy': ['customer notifications (2025-09-26)',
                                         'public statement'],
              'containment_measures': ['isolated by third-party supplier'],
              'incident_response_plan_activated': True,
              'law_enforcement_notified': True,
              'recovery_measures': ['customer notifications',
                                    'authority cooperation']},
 'stakeholder_advisories': ['customer notifications',
                            'public statement (2025-09-26)'],
 'title': 'Harrods Data Breach via Third-Party Supplier (2025)',
 'type': ['data breach', 'third-party compromise']}

Harrods

Pingora Loan Servicing LLC, Bayview Asset Management LLC and Lakeview Loan Servicing LLC: Lakeview Loan Servicing $26M Data Breach Settlement

Crunchyroll: Crunchyroll Probes Breach After Hacker Claims To Steal 6.8M Users' Data- BleepingComputer

Snap: Smart glasses as an enterprise risk: What CIOs should know