Hacking typing on keyboard showing third-party data breach

Third-Party Data Breach Hits Harrods, Leaking Over 430,000 Customer Records

Harrods has disclosed a third-party data breach after cybercriminals claimed to have stolen over 430,000 customer records. The luxury department learned of the breach after the attackers approached the company and demanded a ransom to avoid leaking the stolen data online.

However, the retailer emphasized that the breach was unrelated to the previous hacking incident attributed to the English-speaking cyber gang, Scattered Spider.

The cybercrime gang had also breached other U.K. retailers, Marks & Spencer and the Co-op. Four suspected gang members were later arrested and charged with various crimes under the U.K.’s Computer Misuse Act.

The hacking group was also part of the cybercrime collective Scattered Lapsus$ Hunters that claimed responsibility for the Jaguar Land Rover cyber attack that halted production, sales, and parts distribution.

Harrods refuses to pay ransom after “isolated” third-party data breach

Harrods says it has notified the relevant authorities and is focused on alerting all impacted customers. It also promised not to engage with the attackers who have demanded a ransom in exchange for not leaking the stolen data online.

The luxury department also believes the incident was contained, and there was no evidence of ongoing illegal access. The company was closely working with the impacted third-party service provider to verify that all the necessary security measures were in place.

“The third-party has confirmed this is an isolated incident which has been contained, and we are working closely with them to ensure that all appropriate actions are being taken,” it stated.

“Harrods deserves credit for how they’ve handled this latest breach,” said Piyush Sharma, CEO and co-founder of Tuskira. “Their team moved quickly to notify impacted customers, protect financial and account data, and limit the damage to personal identifiers. Breaches are inevitable for any large enterprise but what separates leaders is how they respond, contain the impact, and maintain transparency with their customers. On those points, Harrods set a strong example.”

However, Kevin Marriott, Senior Manager of Cyber/Head of SecOps at Immersive, warned that the Harrods data breach showcased “how threat actors probe across interconnected supply chains until they find a weakness.”

“This incident came through a third-party provider, showcasing how threat actors probe across interconnected supply chains until they find a weakness,” noted Marriott.

Harrods’ third-party data breach leaked limited “basic personal identifiers”

Harrods says that the third-party data breach leaked limited basic personal identifiers, including the names and contact information of online customers, where those details were provided.

However, the third-party data breach did not leak customers’ account passwords and payment details, such as credit card and bank account numbers. Nevertheless, contact information, such as email addresses and phone numbers, could enable cybercriminals to target impacted customers and lure them into disclosing sensitive personal information.

Subsequently, the victims should watch out for unsolicited communication from people purporting to be Harrods’ employees and should avoid sharing personal information via email. They should also avoid clicking on suspicious links and downloading email attachments, and closely monitor their accounts and credit reports for suspicious activity.

Nonetheless, Harrods asserts that the third-party data breach did not affect its internal systems, as it was restricted to the third-party service provider’s environment. Because most Harrods customers shop offline, the third-party data breach impacted only a small fraction of its clientele.

“No Harrods system has been compromised and it is important to note that the data was taken from a third-party provider and is unconnected to attempts to gain unauthorised access to some Harrods systems earlier this year.”

So far, Harrods has not disclosed the identity of the threat actor, the ransom amount demanded, or the impacted third-party service provider. Similarly, no cyber group has publicly claimed responsibility for the cyber attack.

The total number of customers impacted also remains undetermined, as it was unclear if the stolen records uniquely identified individual customers or contained duplicates.