Prestigious London department store Harrods has again been struck by a serious cyber incident after over 400,000 customer records were stolen in a third-party data breach at an undisclosed supplier.
Harrods has stressed that the incident affected a small portion of its shoppers – the majority of its clientele prefer to shop in-store, not online – and that the incident is unrelated to the attempted Scattered Spider attack on its systems earlier this year.
Nor is there any evidence to link the breach to the ongoing Salesloft Drift – Salesforce incident that involved the theft of authentication tokens.
“We have been notified by one of our third-party providers that some Harrods e-commerce customers’ personal data has been taken from one of their systems. We have informed affected customers that the impacted personal data is limited to basic personal identifiers including name and contact details but does not include account passwords or payment details,” a Harrods spokesperson said.
“The third-party has confirmed this is an isolated incident which has been contained, and we are working closely with them to ensure that all appropriate actions are being taken.”
Harrods additionally confirmed that some customer records may have labels relating to marketing or other services it provides, such as loyalty tier levels or affiliation with co-branded cards.
“Our focus remains on informing and supporting our customers. We have informed all relevant authorities and will continue to co-operate with them,” said Harrods.
Over the weekend, it emerged that the threat actor responsible had been in communication with the retailer, but the firm has additionally stated that it is not engaging with its attackers.
Nevertheless, said Jamie Moles, ExtraHop senior technical manager, the breach still exposed highly valuable personal information.
“This type of dataset is a goldmine for cybercriminals, enabling convincing phishing campaigns, credential harvesting, and even identity fraud,” said Moles.
“The fact that the compromise originated from a third-party provider underlines one of the most persistent challenges in cyber security: supply chain risk. Retailers can invest heavily in their own defences, but one weak link in a partner’s systems can open the door to large-scale data theft.
He added: “The pressing question is how long the attackers had access before being detected, and what else they may have been able to view or move through.”
Mariano Gomide, CEO of Vtex – an ecommerce platform – said it was clear from Harrods’ response that lessons had been learned from the Scattered Spider incident.
“Harrods’ latest breach was met with clearer incident steps as customers and authorities were informed, attackers were dismissed, and follow-up actions were defined. This stands in contrast to the more limited precautionary measures taken during its May 2025 incident,” said Gomide.
Gomide said retailers needed to work to modernise underlying systems with embedded security and compliance lest they put their branding and customer trust at risk.
“Customers do not see the third-party providers or integrations behind the scenes. They see the brand they chose to buy from, and that is where accountability remains,” he said.
“Unless retailers want to continue putting their name on the line for bolt-on solutions, modern unified commerce disciplines must be made to design with governance and adaptability at the core.
“Brands should be able to continue delivering innovative and personalised experiences without leaving their reputation exposed to the failure of an integration,” said Gomide.
