Luxury department store Harrods has confirmed that cyber attackers have contacted customers whose data they stole in a breach of the retailer’s tech stack.
The company said in a statement on September 30 sent to CX Today:
We are aware that some e-commerce customers have been directly contacted by someone purporting to have taken some personal data from one of our third-party providers’ systems.
Harrods confirmed on September 26 that it had been informed by one of its third-party providers that data was stolen, and on September 28 stated that it had been contacted by the cybercriminals.
The retailer confirmed to CX Today that 430,000 customer records were affected.
Harrods informed affected customers on September 26 that the information includes their name and contact details, where these were provided, but does not include account passwords or, crucially, payment details.
However, the data could still be used in targeted phishing or social engineering attacks, as evidenced by the criminals contacting customers directly within days. The high-end retailer’s customers are also potential targets of identity theft.
Hackers often contact the companies they steal data from in an attempt to blackmail or extort money, typically threatening to leak sensitive information or disrupt operations unless a ransom is paid.
Harrods stated that it will not engage or negotiate with the perpetrators, and is cooperating with authorities including the National Cyber Security Centre and the Metropolitan Police Cyber Crime unit to investigate and mitigate the damage.
“Negotiating with cybercriminals does not result in any guarantees as to what they may do with the information they have accessed,” the September 30 statement said.
Even if a company that has been attacked pays a ransom, attackers may still sell the data on the dark web, leak it publicly, or use it to launch further targeted attacks.
The third-party provider informed the retailer that the breach “is an isolated incident which has been contained,” Harrods said, adding that the two companies are working closely “to ensure that all appropriate actions are being taken.”
The compromised customer records may also include tags associated with Harrods’ marketing activities and service offerings.
“These labels may include tier level or affiliation to a Harrods co-branded card although this information is unlikely to be interpreted accurately by an unauthorized third party,” the retailer said.
Harrods’ customers tend to shop in-store rather than through its e-commerce platform, leaving many of its shoppers unaffected.
More than 60 million domestic and international visitors shop with the company through its stores in Knightsbridge, Heathrow and Gatwick airports as well as online, according to its website.
The company emphasized that none of its internal systems were compromised by the breach, which it stated is “unconnected to attempts to gain unauthorized access to some Harrods systems earlier this year.”
That attack was linked with the Scattered Spider threat group, believed to be based in the US and UK, which prompted the company to cut off internet access to its sites as a precaution in May.
Third-Party Risks: A Growing Challenge for Customer Trust
While the latest breach did not affect Harrods’ own systems, the fact that the attackers accessed data through a third-party provider highlights a significant and growing risk in modern customer service ecosystems: third-party security vulnerabilities.
Companies often rely on external vendors for software that powers everything from payment processing and customer support to marketing and logistics. And with the proliferation of AI apps and agents, those dependencies are growing.
While these partnerships help businesses move faster and tap into specialized expertise, they also open up more entry points for cybercriminals to slip through, especially when those third-party systems are not as secure as they should be.
One weak link in the supply chain can compromise thousands, and sometimes millions, of customer records.
Back in May, NCSC CEO Dr Richard Horne warned that a spate of attacks on UK retailers, including Co-op and M&S, emphasized the need for businesses to take proactive security policies. He said:
These incidents should act as a wake-up call to all organizations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.
The Harrods incident demonstrates that even ‘basic’ customer data like names and contact details can be highly valuable to cybercriminals.
Transparency and timely communication are crucial. The company’s decision to proactively notify affected customers and issue public statements helps limit potential harm and maintain trust.
Just as important is Harrods’ refusal to engage with the attackers, which is in line with cybersecurity best practices, as negotiating with cybercriminals offers no guarantees and can ultimately encourage further attacks.
The attack is a reminder that in an interconnected tech stack, a company’s security is only as strong as its weakest link. Protecting customer data, especially when it’s handled by third-party vendors, isn’t just a technical box to tick. It’s a core part of maintaining trust and protecting a brand’s reputation.
