Overview
- Harrods confirms data was taken from an unnamed supplier’s system, affecting about 430,000 e-commerce records containing names, contact details, and some internal marketing labels such as loyalty tier or co-branded card affiliation.
- The company says no passwords, payment information, or order histories were accessed, and its own systems were not compromised.
- Harrods began notifying affected customers on September 26 and has reported the incident to relevant authorities, including the National Cyber Security Centre and the Metropolitan Police Cyber Crime unit.
- After initially receiving messages from the threat actor, Harrods now reports some customers have been contacted directly and advises against engaging, warning of potential phishing or extortion attempts.
- Harrods states the breach is separate from a May attempt linked to Scattered Spider, highlighting persistent supply-chain exposure facing UK retailers.