Luxury department store Harrods confirmed a data breach in September 2025, where cybercriminals stole up to **430,000 customer records** from a **third-party IT provider**. The compromised data includes **basic personal identifiers** (names, contact details), **loyalty card information**, **marketing preferences**, and **co-branded card associations**, but **no payment details or account passwords** were exposed. The breach follows a prior cyberattack attempt in May 2025, where Harrods successfully thwarted unauthorized access to its internal systems. This time, hackers exploited a **supply-chain vulnerability**, targeting a weaker external partner. Harrods refused to engage with the threat actors, suggesting a **ransom demand** was involved. While the company assured containment and collaboration with authorities, the incident highlights risks in third-party dependencies and the escalating threat landscape for high-profile retailers.
Source: https://hackread.com/harrods-data-breach-records-stolen-third-party-attack/
Harrods cybersecurity rating report: https://www.rankiteo.com/company/harrods
"id": "har36101736110725",
"linkid": "harrods",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '430,000',
'industry': 'retail',
'location': 'London, UK',
'name': 'Harrods',
'type': 'luxury department store'}],
'attack_vector': ['third-party vulnerability', 'supply chain compromise'],
'customer_advisories': ['Monitor accounts for fraud.',
'Report suspicious communications.',
'No action required for passwords/payment data (not '
'compromised).'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '430,000',
'personally_identifiable_information': ['names',
'contact details'],
'sensitivity_of_data': 'low to moderate (no '
'financial/password data)',
'type_of_data_compromised': ['personal identifiers',
'loyalty program data',
'marketing data']},
'date_publicly_disclosed': '2025-09-26',
'description': 'Luxury department store Harrods confirmed that cybercriminals '
'claimed to steal data from up to 430,000 customer records '
'following a third-party IT breach. The breach compromised '
'basic personal information (names, contact details, loyalty '
'card data, marketing preferences, and co-branded card '
'tie-ins) but excluded payment details or account passwords. '
'Harrods refused to engage with the threat actor, suggesting a '
'ransom demand was made. The incident was contained, and '
'authorities were notified. This follows a May 2025 attempted '
"breach of Harrods' internal systems, which was successfully "
'mitigated.',
'impact': {'brand_reputation_impact': 'moderate (high-profile breach, but no '
'sensitive financial data exposed)',
'data_compromised': ['customer names',
'contact details',
'loyalty card information',
'marketing preferences',
'co-branded card tie-ins'],
'identity_theft_risk': 'low (basic identifiers only, but phishing '
'risk elevated)',
'operational_impact': 'limited (isolated to third-party system)',
'payment_information_risk': 'none',
'systems_affected': ['third-party provider system']},
'initial_access_broker': {'entry_point': 'third-party provider system',
'high_value_targets': ['customer databases']},
'investigation_status': 'ongoing (contained, authorities notified)',
'motivation': ['financial gain (ransom demand)', 'data theft'],
'post_incident_analysis': {'root_causes': ['third-party security '
'vulnerability',
'supply chain target shift after '
'failed direct attack (May 2025)']},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
'recommendations': ['Monitor bank statements and transactions for suspicious '
'activity.',
'Beware of phishing attempts via unexpected texts, calls, '
'or emails.',
'Strengthen third-party vendor security assessments.',
'Implement supply chain risk management protocols.'],
'references': [{'source': 'Hackread.com'},
{'date_accessed': '2025-09-26',
'source': 'Harrods Customer Email Notification'}],
'regulatory_compliance': {'regulatory_notifications': True},
'response': {'communication_strategy': ['customer email notification '
'(2025-09-26)',
'public statement',
'authority notifications'],
'containment_measures': ['third-party system isolation',
'collaboration with affected provider'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': True},
'stakeholder_advisories': ['customer notifications', 'authority reports'],
'threat_actor': ['Scattered Spider (suspected in broader UK retail campaign)',
'unnamed threat actor (September 2025 breach)'],
'title': 'Harrods Third-Party Data Breach (September 2025)',
'type': ['data breach', 'third-party breach', 'supply chain attack']}