Luxury retailer Harrods has confirmed a new data breach that exposed the personal details of around 430,000 e-commerce customers after hackers compromised one of its third-party suppliers.
The company clarified that this incident is separate from the cyberattack it faced in May, which was attributed to the hacker group Scattered Spider.
In a statement to publications, Harrods said it informed affected customers on Friday that their personal details, including names and contact information, were accessed following a breach at a third-party provider.
The retailer did not disclose the name of the compromised vendor but said it has taken immediate steps to contain the situation and alert authorities.
The company reassured customers that the leaked data does not include passwords, payment details, or purchase histories.
However, some customer records contained internal tags and marketing labels used by Harrods for service management. These labels may reference customer tier levels or affiliations with Harrods’ co-branded credit cards, though the company said such information would be difficult for unauthorised parties to interpret accurately.
Cybersecurity experts have linked the breach to a wider supply chain attack that affected multiple companies globally over the summer. The incident, believed to involve the Salesloft platform, saw hackers use stolen OAuth tokens to access Salesforce systems and extract customer data.
Harrods also confirmed that the threat actor behind the latest breach had reached out to the company directly, apparently seeking extortion.
The retailer stated it would not engage in any communication or negotiation with the attacker.
Authorities and cybersecurity professionals have been notified, and Harrods said it continues to work closely with them to ensure customer protection and prevent future incidents.
The company has also advised customers to remain alert to phishing attempts and avoid clicking on links or sharing information with unknown sources.
Despite the breach, Harrods’ online services remain operational. The company said it remains committed to maintaining the trust of its customers and strengthening its digital security systems to safeguard sensitive information.
