Harrods blames its supplier after crims steal 430k customers’ data in fresh attack
(2025/09/29)
- Reference: 1759142390
- News link: https://www.theregister.co.uk/2025/09/29/harrods_blames_thirdparty_supplier_after/
- Source link:
Luxury London-based retailer Harrods is facing its second cybersecurity scandal in 2025, confirming criminals not only stole 430,000 customers' data in a fresh attack but have even made contact.
It began notifying affected customers on September 26 that their data was taken during a break-in at one of its suppliers. Harrods said the "third party" supplier has reassured it that the incident was isolated and had been contained.
Harrods also confirmed in a statement on Sunday: "We have received communications from the threat actor and will not be engaging with them."
[1]
The affected data included basic personal details such as names and contact details, but does not include passwords or financial information.
[2]
[3]
It may also include marketing-related data such as Harrods membership tier levels and affiliation to a Harrods co-branded card. However, the lux retailer said it believes this data was unlikely to be interpreted accurately by anyone who can get their hands on it.
Harrods insisted its own systems were not targeted or compromised, and refused to name the third-party supplier in question.
[4]
"Our focus remains on informing and supporting our customers," it said. "We have informed all relevant authorities and will continue to co-operate with them."
Harrods also confirmed the attack is separate from the [5]one earlier this year , which was widely reported to be at the hands of Scattered Spider - a group that besieged British retailers including [6]M&S and [7]Co-op .
Of the three major high-street brands targeted over the summer by Scattered Spider, the information about Harrods was comparatively sparse.
[8]Empty shelves, empty coffers: Co-op pegs cyber hit at £80m
[9]Two Scattered Spider teens charged over attack on London’s transport network
[10]UK chancellor Putin the blame on Russia for cyber chaos, but evidence says otherwise
[11]Hack to school: Parents told to keep their little script kiddies in line
In confirming the latest attack, a spokesperson for the company alluded to "attempts to gain unauthorized access" to its systems earlier this year, but provided no further details.
The National Crime Agency (NCA) recently [12]arrested and charged two teens – Owen Flowers, 18, and Thalha Jubair, 19 – alleging they were involved in a cyberattack on Transport for London.
[13]
Despite the suspects apparently matching descriptions previously mentioned in relation to Scattered Spider-linked attacks, and in descriptions of [14]four people arrested earlier this year , neither are officially being tied to the British retail attacks.
Jubair also [15]faces additional charges in the US over an alleged 120 network intrusions affecting at least 47 US organizations. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aNqtF0KZSqlqcxxs6x_j9AAAAlI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNqtF0KZSqlqcxxs6x_j9AAAAlI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNqtF0KZSqlqcxxs6x_j9AAAAlI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNqtF0KZSqlqcxxs6x_j9AAAAlI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://forums.theregister.com/forum/all/2025/05/02/ncsc_steps_in_as_harrods/
[6] https://www.theregister.com/2025/08/11/ms_restores_click_collect_following/
[7] https://www.theregister.com/2025/09/25/empty_shelves_empty_coffers_coop/
[8] https://www.theregister.com/2025/09/25/empty_shelves_empty_coffers_coop/
[9] https://www.theregister.com/2025/09/18/two_teens_charged_in_tfl_case/
[10] https://www.theregister.com/2025/09/23/reeves_blames_russia_cyberattacks/
[11] https://www.theregister.com/2025/09/12/students_school_cyberattacks/
[12] https://www.theregister.com/2025/09/18/two_teens_charged_in_tfl_case/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNqtF0KZSqlqcxxs6x_j9AAAAlI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2025/07/10/nca_arrests_four_in_connection/
[15] https://www.theregister.com/2025/09/19/scattered_spider_teen_cuffed/
[16] https://whitepapers.theregister.com/
It began notifying affected customers on September 26 that their data was taken during a break-in at one of its suppliers. Harrods said the "third party" supplier has reassured it that the incident was isolated and had been contained.
Harrods also confirmed in a statement on Sunday: "We have received communications from the threat actor and will not be engaging with them."
[1]
The affected data included basic personal details such as names and contact details, but does not include passwords or financial information.
[2]
[3]
It may also include marketing-related data such as Harrods membership tier levels and affiliation to a Harrods co-branded card. However, the lux retailer said it believes this data was unlikely to be interpreted accurately by anyone who can get their hands on it.
Harrods insisted its own systems were not targeted or compromised, and refused to name the third-party supplier in question.
[4]
"Our focus remains on informing and supporting our customers," it said. "We have informed all relevant authorities and will continue to co-operate with them."
Harrods also confirmed the attack is separate from the [5]one earlier this year , which was widely reported to be at the hands of Scattered Spider - a group that besieged British retailers including [6]M&S and [7]Co-op .
Of the three major high-street brands targeted over the summer by Scattered Spider, the information about Harrods was comparatively sparse.
[8]Empty shelves, empty coffers: Co-op pegs cyber hit at £80m
[9]Two Scattered Spider teens charged over attack on London’s transport network
[10]UK chancellor Putin the blame on Russia for cyber chaos, but evidence says otherwise
[11]Hack to school: Parents told to keep their little script kiddies in line
In confirming the latest attack, a spokesperson for the company alluded to "attempts to gain unauthorized access" to its systems earlier this year, but provided no further details.
The National Crime Agency (NCA) recently [12]arrested and charged two teens – Owen Flowers, 18, and Thalha Jubair, 19 – alleging they were involved in a cyberattack on Transport for London.
[13]
Despite the suspects apparently matching descriptions previously mentioned in relation to Scattered Spider-linked attacks, and in descriptions of [14]four people arrested earlier this year , neither are officially being tied to the British retail attacks.
Jubair also [15]faces additional charges in the US over an alleged 120 network intrusions affecting at least 47 US organizations. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aNqtF0KZSqlqcxxs6x_j9AAAAlI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNqtF0KZSqlqcxxs6x_j9AAAAlI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNqtF0KZSqlqcxxs6x_j9AAAAlI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNqtF0KZSqlqcxxs6x_j9AAAAlI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://forums.theregister.com/forum/all/2025/05/02/ncsc_steps_in_as_harrods/
[6] https://www.theregister.com/2025/08/11/ms_restores_click_collect_following/
[7] https://www.theregister.com/2025/09/25/empty_shelves_empty_coffers_coop/
[8] https://www.theregister.com/2025/09/25/empty_shelves_empty_coffers_coop/
[9] https://www.theregister.com/2025/09/18/two_teens_charged_in_tfl_case/
[10] https://www.theregister.com/2025/09/23/reeves_blames_russia_cyberattacks/
[11] https://www.theregister.com/2025/09/12/students_school_cyberattacks/
[12] https://www.theregister.com/2025/09/18/two_teens_charged_in_tfl_case/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNqtF0KZSqlqcxxs6x_j9AAAAlI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2025/07/10/nca_arrests_four_in_connection/
[15] https://www.theregister.com/2025/09/19/scattered_spider_teen_cuffed/
[16] https://whitepapers.theregister.com/
Nah
Anonymous Coward
No impact on important people and we have someone who will take the blame so carry on.
Anonymous Coward
What’s the betting it’s something they outsourced and it’s now come back to bite them on their large backside. I visited the store a few days after the first attempt and I didn’t notice anything different, so maybe that one wasn’t bad, like Harrods claimed it wasn’t and they caught the intrusion.
Next in line for a government 'loan'?
VoiceOfTruth
Got to let the plebs pay for it.
Re: Next in line for a government 'loan'?
Anonymous Coward
Silly boy
“The incident was isolated and had been contained”
Anonymous Coward
It’s OK boss.
Only 430,000 have been impacted!
Phew.
Re: “The incident was isolated and had been contained”
Rich 2
I was just about to point out the same thing.
The only reason/way this is “contained” is that there is nothing else left to steal!
Anonymous Coward
Don't you dare fail to monitor your own supply line then try to wash your hands of it like it was nothing to do with you.
YOUR supplier
YOUR sub-contractor
YOUR problem
YOUR fault.
Own it you cowards
Anonymous Coward
Also, presumably the upstream supplier has other clients than Harrods. So what else is compromised and where's this responsible disclosure thing we keep hearing about?
Was anything learned from the previous incident?