Harrods luxury department store warns customers of data breach

UK luxury department store Harrods has issued a warning to its customers that their personal details might have been stolen in an IT systems breach.

The retailer says that the systems belonged to one of its third-party providers. Compromised information includes names and contact details of some of its online customers, however, no passwords or payment details were allegedly affected.

Harrods, which is currently owned by Qatar Investment Authority, called the breach an "isolated incident":

“We have been notified by one of our third-party providers that some Harrods e-commerce customers’ personal data has been taken from one of their systems,” Harrods said in a statement.

“We have informed affected customers that the impacted personal data is limited to basic personal identifiers, including name and contact details, but does not include account passwords or payment details.

“The third party has confirmed this is an isolated incident which has been contained, and we are working closely with them to ensure that all appropriate actions are being taken. We have notified all relevant authorities.”

A spokesman for the store added that none of its internal systems had been compromised and that the attack is not connected to the incident that happened in May, when the retailer promptly restricted access across its sites.

Scattered Spider ransomware group claimed to be behind the cyberattacks on Harrods, Marks & Spencer, and the Co-op earlier this year. In the aftermath of the incident, the Co-op took a hit of about £206m ($276m) in revenue, estimating a £120m ($161m) loss in full-year profits, while Marks & Spencer was forced into a 46-day suspension of online order processing of clothing and home goods.

In July, the National Crime Agency (NCA) arrested four people in connection with the hacks.