UK retail big Harrods has disclosed a brand new cybersecurity incident after hackers compromised a third-party provider and stole 430,000 information with delicate e-commerce buyer data.
In a press release for BleepingComputer, the posh division retailer famous that the most recent incident is just not associated to the Might cyberattack, which was attributed to Scattered Spider.
Again in Might, Harrods was the goal of a failed cyberattack as the posh items firm was fast to take proactive motion and block the hackers from getting access to its techniques.
That week, Harrods was the third retailer that Scattered Spider focused, after Marks and Spencer and Co-op. In each incidents, the risk actor used the DragonForce ransomware to encrypt stystem knowledge [1, 2].
Harrods is a London-based luxurious items division retailer. It operates a full-featured e-commerce platform catering to worldwide prospects.
The current data breach was first reported by media shops within the U.Okay. after Harrods notified prospects impacted by the incident.
Harrods instructed BleepingComputer that it “proactively knowledgeable affected e-commerce prospects on Friday” that their names and make contact with particulars had been compromised following a breach at a third-party supplier. The corporate didn’t disclose the title of compromised entity.
Other than names and make contact with particulars, some buyer information additionally included tags and labels used internally for advertising and different providers that Harrods supplies.
“Affected buyer information may additionally have labels associated to advertising and providers delivered by Harrods,” the luxuy items firm says.
“These labels could embody tier degree or affiliation to a Harrods co-branded card, though this data is unlikely to be interpreted precisely by an unauthorised third occasion.”
Co-branded playing cards are bank cards a part of the corporate’s loyalty program which have Harrods’ emblem and people of a card community (American Specific, Visa) and a monetary establishment (QNB, NBK).
They can be utilized to earn reward factors and embody varied advantages, like eating credit and entry to particular occasions.
Regardless of the info publicity, Harrods underlined that the leaked knowledge doesn’t embody account passwords, fee data, or order histories, and is proscribed to primary private identifiers.
The corporate additionally famous that the risk actor has contacted them straight, possible in an try to extort them, however acknowledged that it could not interact in communication.
The historic store continues its efforts to tell and help uncovered prospects, and has notified all related authorities accordingly, working carefully with them.
Clients of Harrod’s on-line store ought to keep vigilant for phishing assaults and social engineering, and keep away from clicking on hyperlinks despatched through electronic mail or SMS from unknown contacts.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.
