Harrods has informed certain customers that their names and contact details were exposed after a system belonging to one of its third-party service providers was compromised, though account passwords and payment information remain unaffected.

The luxury retailer emphasised the breach was isolated and has been contained, reiterating that Harrods' core internal systems remained untouched. The compromised data is said to be limited to basic identifiers. The company is collaborating with the third party and relevant authorities to manage the incident.

This warning comes in the wake of a wave of cyberattacks that have struck major UK retailers, including Marks & Spencer and the Co-op Group, earlier this year. Four individuals were arrested in July in connection with attacks on all three retailers; they have since been released on bail while investigations continue under the National Crime Agency.

In May, Harrods had restricted internet access at its sites to counter an attempt to gain unauthorised access to its systems. The company maintains the present breach is unrelated to that earlier incident.

Cybersecurity analysts note that the latest breach typifies a rising trend: attackers increasingly exploit vulnerabilities in third-party suppliers or vendors rather than attacking primary targets directly. Such supply-chain attacks reduce barriers for criminals seeking access to sensitive data.

Retailers in the UK are now under heightened scrutiny, with calls growing for stricter regulation around reporting and transparency of cyber incidents. The Information Commissioner's Office and the National Cyber Security Centre are expected to demand more robust oversight of vendor risk, especially in sectors handling personal data at scale.

Consumer groups have urged Harrods to intensify its customer communications, offer identity monitoring services, and conduct independent audits of vendor security controls. Some critics argue that the luxury retailer should have anticipated supply-chain risk given its profile and the heightened targeting of premium brands.

This breach follows earlier incidents affecting luxury brands. In June, Kering-parent to Gucci, Balenciaga and others-acknowledged unauthorised access to customer data via third-party systems, although financial credentials were not exposed. Meanwhile, hackers recently released personal details of children and staff at the Kido nursery chain, demanding ransom payments and threatening further leaks.

MENAFN12102025000152002308ID1110184170