Harrods

UK luxury retail giant Harrods suffered a cybersecurity breach after hackers compromised a third-party supplier, exfiltrating 430,000 e-commerce customer records. The stolen data included names, contact details, and internal marketing labels (e.g., loyalty tier levels, co-branded card affiliations), but excluded passwords, payment information, or order histories. The threat actor directly contacted Harrods, likely for extortion, though the company refused engagement. While the breach did not expose highly sensitive financial data, the scale of compromised personal identifiers poses risks for phishing, social engineering, and reputational harm. Harrods proactively notified affected customers and authorities, emphasizing vigilance against follow-up attacks. This incident follows a failed May 2024 ransomware attempt by Scattered Spider (linked to DragonForce ransomware), which Harrods thwarted before system encryption.

Source: https://www.bleepingcomputer.com/news/security/harrods-suffers-new-data-breach-exposing-430-000-customer-records/

TPRM report: https://www.rankiteo.com/company/harrods

"id": "har5992359092925",
"linkid": "harrods",
"type": "Breach",
"date": "5/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '430,000',
                        'industry': 'Luxury Goods/E-Commerce',
                        'location': 'London, UK',
                        'name': 'Harrods',
                        'size': 'Large (Global Retail Giant)',
                        'type': 'Retailer'}],
 'attack_vector': ['Supply Chain Attack', 'Third-Party Vendor Exploitation'],
 'customer_advisories': 'Phishing Vigilance; No Action Required for '
                        'Passwords/Payment Data',
 'data_breach': {'data_exfiltration': 'Yes',
                 'number_of_records_exposed': '430,000',
                 'personally_identifiable_information': ['Names',
                                                         'Contact Details'],
                 'sensitivity_of_data': 'Moderate (No Financial/Password Data)',
                 'type_of_data_compromised': ['Personal Identifiers',
                                              'Marketing Metadata']},
 'description': 'UK retail giant Harrods disclosed a cybersecurity incident '
                'where hackers compromised a third-party supplier, stealing '
                '430,000 records containing sensitive e-commerce customer '
                'information. The exposed data includes names, contact '
                'details, and internal marketing tags/labels (e.g., tier '
                'level, co-branded card affiliation). Harrods confirmed no '
                'account passwords, payment information, or order histories '
                'were compromised. The threat actor attempted extortion, but '
                'Harrods refused to engage. This incident is unrelated to the '
                'May 2024 failed cyberattack by Scattered Spider, which '
                'targeted Harrods, Marks and Spencer, and Co-op using '
                'DragonForce ransomware.',
 'impact': {'brand_reputation_impact': 'Potential Reputation Damage Due to '
                                       'Customer Data Exposure',
            'data_compromised': ['Names',
                                 'Contact Details',
                                 'Internal Marketing Tags/Labels (e.g., tier '
                                 'level, co-branded card affiliation)'],
            'identity_theft_risk': 'Low (No Payment Info or Passwords Exposed)',
            'operational_impact': 'Customer Notifications, Regulatory '
                                  'Coordination',
            'payment_information_risk': 'None',
            'systems_affected': ['Third-Party Supplier Systems']},
 'initial_access_broker': {'entry_point': 'Third-Party Supplier Compromise',
                           'high_value_targets': ['Customer PII',
                                                  'Marketing Data']},
 'investigation_status': 'Ongoing (Authorities Involved)',
 'motivation': ['Data Theft', 'Extortion', 'Financial Gain'],
 'post_incident_analysis': {'root_causes': ['Third-Party Security '
                                            'Vulnerability']},
 'ransomware': {'data_exfiltration': 'Yes (Third-Party Breach)',
                'ransom_paid': 'No (Harrods Refused to Engage)'},
 'recommendations': ['Customers Advised to Monitor for Phishing/Social '
                     'Engineering Attacks',
                     'Avoid Clicking Links from Unknown Emails/SMS',
                     'Third-Party Vendor Security Assessments Recommended'],
 'references': [{'source': 'BleepingComputer'},
                {'source': 'UK Media Outlets (Initial Breach Reporting)'}],
 'regulatory_compliance': {'regulatory_notifications': 'Yes (Authorities '
                                                       'Notified)'},
 'response': {'communication_strategy': ['Direct Customer Notifications '
                                         '(Email)',
                                         'Media Statements',
                                         'Regulatory Disclosures'],
              'incident_response_plan_activated': 'Yes (Proactive Customer '
                                                  'Notifications)',
              'law_enforcement_notified': 'Yes (Relevant Authorities Notified)',
              'remediation_measures': ['Customer Support',
                                       'Vigilance Advisories (Phishing/Social '
                                       'Engineering Warnings)']},
 'stakeholder_advisories': 'Customers Notified; Authorities Engaged',
 'threat_actor': ['Unknown (Extortion Attempt)',
                  'Scattered Spider (Unrelated May 2024 Attack)'],
 'title': 'Harrods Third-Party Supplier Data Breach (2024)',
 'type': ['Data Breach', 'Third-Party Compromise']}