Luxury retailer Harrods has confirmed that some customer data has been stolen in an IT systems breach involving one of its third-party providers.
What happened in the breach
In an email sent to online customers on Friday evening, the department store said information including names and contact details had been accessed. It stressed that no passwords or payment details were taken.
Harrods described the breach as an “isolated incident” and said it had been contained by the external provider involved. “We are working closely with them to ensure all appropriate actions are being taken,” the company said in a statement. It added that the Information Commissioner’s Office and other relevant authorities had been notified.
A Harrods spokesperson underlined that its own systems had not been compromised. The breach, they added, was unrelated to a cyber incident in May, when Harrods temporarily restricted internet access across its sites following an attempt to gain unauthorised entry.
Cyber crime links
The earlier attempted attack in May was claimed by a loosely affiliated group of hackers also linked to high-profile breaches at Marks & Spencer and the Co-op earlier this year.
In July, the National Crime Agency (NCA) arrested four people in connection with those attacks. A 20-year-old woman was detained in Staffordshire, while three young men aged 17 to 19 were arrested in London and the West Midlands. All have since been released on bail.
Cyber criminals have continued to target high-profile UK companies. In August, another group claimed responsibility for the cyber attack that halted production at Jaguar Land Rover factories worldwide, with operations only beginning to restart this week.
Warning on wider risks
Richard Horne, chief executive of the National Cyber Security Centre, warned that incidents like the Harrods breach highlighted the broader risks to businesses and the public.
“Cyber attacks may sound theoretical and technical, but they have real-world impact on real people,” he told BBC Radio 4’s Today programme on Saturday.
“These criminal attackers don’t care who they hit, and they don’t care how they hurt them. All organisations, big and small, need to take steps to secure their systems — to protect themselves and to protect their customers.”
