Luxury London-based retailer Harrods is facing its second cybersecurity scandal in 2025, confirming criminals not only stole 430,000 customers’ data in a fresh attack but have even made contact.
It began notifying affected customers on September 26 that their data was taken during a break-in at one of its suppliers. Harrods said the “third party” supplier has reassured it that the incident was isolated and had been contained.
Harrods also confirmed in a statement on Sunday: “We have received communications from the threat actor and will not be engaging with them.”
The affected data included basic personal details such as names and contact details, but does not include passwords or financial information.
It may also include marketing-related data such as Harrods membership tier levels and affiliation to a Harrods co-branded card. However, the lux retailer said it believes this data was unlikely to be interpreted accurately by anyone who can get their hands on it.
Harrods insisted its own systems were not targeted or compromised, and refused to name the third-party supplier in question.
“Our focus remains on informing and supporting our customers,” it said. “We have informed all relevant authorities and will continue to co-operate with them.”
Harrods also confirmed the attack is separate from the one earlier this year, which was widely reported to be at the hands of Scattered Spider – a group that besieged British retailers including M&S and Co-op.
Of the three major high-street brands targeted over the summer by Scattered Spider, the information about Harrods was comparatively sparse.
In confirming the latest attack, a spokesperson for the company alluded to “attempts to gain unauthorized access” to its systems earlier this year, but provided no further details.
The National Crime Agency (NCA) recently arrested and charged two teens – Owen Flowers, 18, and Thalha Jubair, 19 – alleging they were involved in a cyberattack on Transport for London.
Despite the suspects apparently matching descriptions previously mentioned in relation to Scattered Spider-linked attacks, and in descriptions of four people arrested earlier this year, neither are officially being tied to the British retail attacks.
Jubair also faces additional charges in the US over an alleged 120 network intrusions affecting at least 47 US organizations. ®