Harrods says attackers made contact after a breach compromised data belonging to 430,000 customers. The luxury department store said it will not be engaging with them.
The information was taken from a third-party provider. In a statement, Harrods said: “We proactively informed affected e-commerce customers on Friday that the impacted personal data is limited to basic personal identifiers including name and contact details, where this information has been provided. It does not include account passwords or payment details.
“Affected customer records may also have labels related to marketing and services delivered by Harrods.
“These labels may include tier level or affiliation to a Harrods co-branded card, although this information is unlikely to be interpreted accurately by an unauthorised third party.”
Harrods said its focus remains on informing and supporting its customers. “We have informed all relevant authorities and will continue to co-operate with them.”
The attack is understood to affect only a fraction of Harrods shoppers, as most of its sales are made in-store. The company would not reveal the malefactor’s demands or messages.
The store first disclosed the breach in an email to customers on Friday. It added that the incident was unrelated to attempts earlier this year to penetrate its wider IT systems.
Cyber-attacks on British firms have mounted in 2025. Co-op this week said an attack that exposed the data of its 6.5 million members had cost £206m in lost sales. M&S reported losses of £300m from similar disruption. Jaguar Land Rover continues to recover from an attack that halted production and forced the government to guarantee a £1.5bn loan to stabilise its supply chain.
Soft Targets
Dray Agha, senior manager of security operations at Huntress, said: “Cybercriminals are increasingly targeting third-party suppliers because these vendors often have weaker security defences than the large companies they serve. For a prestigious target like Harrods, breaching a smaller supplier is a far easier backdoor than attacking the company’s main systems directly. This forces organisations to defend not just themselves, but their entire digital ecosystem.”
A Massive, Widespread Data Security Crisis
Agha adds that the breach of a single supplier can expose the data of hundreds of thousands of customers across multiple businesses simultaneously. “This incident shows how one vulnerability at a third-party provider can create a massive and widespread data security crisis, amplifying the impact far beyond what a direct attack could achieve. This incident should serve as a stark reminder that a company’s security is only as strong as its least secure vendor. It highlights the urgent need for robust third-party risk management, including continuous security monitoring of partners and clear contractual security requirements, not just one-off checks during onboarding.”
Connected Through Complex Ecosystems
Charlotte Wilson, head of enterprise at Check Point Software, added: “We’re seeing a dramatic rise in third-party supply chain attacks, and that’s because so many organisations today are connected through complex ecosystems that hold valuable, integrated data. Check Point has found that 20% of all data breaches in recent years involved a third-party vendor, and breaches tied to third-party access not only took an average of 26 days longer to identify but also cost more; $4.46 million per incident compared to the global average of $4.35 million.
Third Party Vulnerabilities
She says the recent incidents mentioned all stem from third-party vulnerabilities. “While payment data wasn’t always exposed, loyalty, marketing and customer records were, and these data sets are extremely valuable to criminals. The first wave of impact is business disruption: downtime, lost sales and reputational harm as organisations scramble to recover. The secondary wave hits consumers: attackers use stolen data to launch convincing phishing texts, scam calls and impersonation websites. For example, a message promising 50% off at a brand you’ve shopped with before can trick customers into handing over credentials, card details, or even installing malware, and they understandably associate that harm with the brand itself, which amplifies reputational damage.”
AI Makes Follow-on Scams More Dangerous
According to her, AI is making these follow-on scams more dangerous. “Today, criminals are already using AI, including generative tools, after an initial breach to craft highly tailored, personalised offers that leverage exposed loyalty and marketing data so the scam feels real and pushes victims to impersonation sites. Looking ahead, agentic AI (agents talking to agents without human oversight) risks amplifying this scale and speed even further.
“Retailers must treat supply-chain risk with the same rigor as their own internal security. That means full visibility of which third-party vendors handle sensitive data, enforcing least-privilege access, network segmentation, and running failure and breach-response tests that include third-party providers. Outsourcing a function does not outsource the risk. Finally, transparency matters. Organisations that are open and proactive after a breach may take an immediate reputational hit, but they also empower customers to protect themselves and reduce the success of follow-on scams, and in doing so, demonstrate real integrity.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.