Harrods Discloses Data Breach Following Supplier Cyberattack Affecting 430,000 Customers
Overview of the Incident
Harrods, the iconic London-based luxury retailer, has recently confirmed a significant cybersecurity breach involving a third-party supplier. This attack resulted in the unauthorized access and theft of approximately 430,000 customer records containing sensitive ecommerce data. The company emphasized that this breach is distinct and unrelated to the attempted cyberattack it faced earlier in May 2024.
Background: Previous Cybersecurity Challenges
In May, Harrods successfully thwarted a hacking attempt linked to the notorious threat group known as Scattered Spider. During that period, the same group targeted other major UK retailers, including Marks and Spencer and Co-op, deploying DragonForce ransomware to encrypt critical system files. Harrods responded swiftly to prevent any system infiltration, safeguarding its operations and customer data.
Details of the Recent Breach
The latest compromise originated from a supplier’s system, which was infiltrated by cybercriminals. Harrods promptly notified affected customers on a Friday, informing them that their personal details-such as names and contact information-had been exposed. However, the retailer has not disclosed the identity of the compromised third-party provider.
Context: The Salesloft Supply-Chain Attack
This incident is part of a broader wave of supply-chain attacks that have impacted numerous organizations worldwide since late summer 2024. Hackers exploited stolen OAuth tokens to gain unauthorized access to customers’ Salesforce environments, extracting sensitive data. Several companies have since revealed that customer information was exposed during these attacks.
Nature of the Exposed Data
Among the leaked information were labels and tags associated with Harrods’ marketing efforts and customer services. These may include customer tier statuses or affiliations with Harrods’ co-branded credit cards. While such labels provide insight into customer segmentation, it is unlikely that unauthorized parties could accurately interpret this data without additional context.
Understanding Harrods’ Co-Branded Cards
Harrods offers co-branded credit cards in partnership with major financial networks like American Express and Visa, as well as banks such as QNB and NBK. These cards are integrated into the retailer’s loyalty program, allowing customers to earn reward points and access exclusive perks, including dining credits and invitations to special events. Importantly, Harrods confirmed that no payment details, order histories, passwords, or financial transaction records were compromised in this breach.
Response and Customer Guidance
Following the breach, Harrods disclosed that the attackers attempted to extort money by contacting the company directly. Harrods has refused to engage with the perpetrators and is collaborating closely with law enforcement and cybersecurity authorities to manage the situation.
Customers are advised to remain vigilant against phishing attempts and social engineering scams, especially those delivered via email or SMS. Harrods recommends avoiding clicking on suspicious links or providing personal information in response to unsolicited communications.
Looking Ahead: Strengthening Security Measures
As cyber threats continue to evolve, Harrods is committed to enhancing its cybersecurity infrastructure and working with trusted partners to prevent future incidents. The retailer’s ecommerce platform, which serves a global clientele, remains a priority for ongoing security investments.
With cybercrime on the rise-recent reports indicate a 15% increase in supply-chain attacks globally in 2024-companies like Harrods are reinforcing their defenses to protect customer trust and data integrity.
