Britain’s beloved Harrods department store revealed on Sunday that 430,000 customers have been compromised in yet another cyberattack impacting the retailer in 2025 – this time, via one of its third-party vendors. Now, those same ransomware attackers have been reportedly contacting Harrods customers, ever since the retailer publicly declared it would not negotiate.
-
Harrods is hit via a third-party vendor breach, unconnected to a previous attack on the UK retailer this spring.
-
The threat actor has tried to engage with Harrods, but the luxury retailer refused, leading to the hackers directly contacting customers.
-
Experts tell Cybernews supply chain attacks now drive over 40% of ransomware attacks, with nearly 100% top UK firms housing a breached third-party in their ecosystem.
The luxury department store, in a statement sent to Cybernews, labeled the secondary cyber incident as an “isolated attack” without disclosing the third-party software provider’s name or the date it was notified of the breach.
“The third party confirmed this is an isolated incident which has been contained, and we are working closely with them to ensure that all appropriate actions are being taken,” the London-based retailer said, updating a statement released on Friday to warn its customers.
The company spokesperson made clear that “No Harrods system has been compromised,” also stressing that any data taken from the third-party provider is “unconnected” to the highly publicized and “limited” breach of Harrods’ systems on April 21st of this year.
Harrods was targeted by the notorious Scattered Spider ransomware group in the April attempt, following the group’s devastating attacks on fellow UK retail conglomerates Marks & Spencer and Coop stores, among others.
E-commerce customer data taken
Jeremy Turner, Vice President of Threat Intelligence and Research at Security Scorecard, says “the Harrods breach is a textbook case of supply chain compromise that reflects a growing strategic shift among threat actors.”
“Attackers are no longer breaking in through the front door. They are entering through trusted third-party access,” Turner explains.
Harrod’s said the exposed data of online customers includes only “basic personal identifiers such as names and contact details,” highlighting that “no passwords or payment details were affected.”
Still, the retailer reports, “Affected customer records may also have labels related to internal marketing and services delivered by Harrods.”
Additionally, Harrods said the labels could include tier level or affiliation to a Harrods co-branded card (such as loyalty or major credit cards). However, it says “that information is unlikely to be interpreted accurately by an unauthorised third party.”
“We would like to reiterate that no payment details or order history information has been accessed and the impacted personal data remains limited to basic personal identifiers as advised previously,” Harrods said.
The department store further states it has “informed all affected customers,” as well as relevant authorities, including the National Cyber Security Centre and the Metropolitan Police Cyber Crime unit, who are “still investigating” the incident.
Refusing to engage with attackers
Harrods also revealed that it had been contacted by the alleged threat group behind the attack, but has refused to entertain the hacker’s apparent attempt to lure the company into ransom negotiations.
“We have received communications from the threat actor and will not be engaging with them,” Harrods told Cybernews, noting that the company was simply falling “in line with expert advice to not engage or negotiate with cyber criminals.”
“Negotiating with cyber criminals does not result in any guarantees as to what they may do with the information they have accessed,” it said.
However the attackers seem to have taken the bulls by the horns, so to speak, and has been reportedly reaching out directly to Harrods custoners by email, presumably to try and eek out any financial compensation for their antics, or possibly to shame Harrods into paying the criminals hush money in exchange for preserving its public-facing reputation.
Apologizing to customers for the “inconvenience,” Harrods told Cybernews it was “aware that some e-commerce customers have been directly contacted by someone purporting to have taken personal data from its third-party providers’ systems,” reiterating to its shoppers that the stolen data contained “only basic personal identifiers, such as name and contact details.”
Meanwhile, Turner and his firm have found that “97% of the UK’s top companies have at least one breached third party in their ecosystem.”
The threat intelligence VP further states that “more than 40 percent of ransomware attacks now begin with a third-party compromise.”
And while details are still emerging, Turner says the latest Harrods incident “likely involved compromised credentials or insecure file transfer protocols – among the most common attack vectors we see in retail and luxury supply chains.”
