Luxury department store Harrods has disclosed a data breach affecting 430,000 customer records after a third-party supplier was compromised . The company confirmed it was contacted by the hackers but stated it will not engage with the threat actor .

The breach was first communicated to affected e-commerce customers via email on Friday, September 26, 2025 . Harrods emphasized that its own internal systems were not compromised and the incident originated from a security failure at an unnamed external supplier .

What Information Was Involved?

Harrods has reassured customers that the compromised data is limited to basic personal identifiers and does not include highly sensitive financial information .

The stolen data primarily includes :

• Basic Identifiers: Names and contact details provided by customers.
• Marketing & Loyalty Data: Information related to marketing preferences, loyalty program status, and affiliations with Harrods’ co-branded credit cards.

A company spokesperson noted that the exposed marketing-related data is “unlikely to be interpreted accurately by an unauthorised third party” . The breach did not include account passwords, payment card details, or order history .

What You Can Do & Broader Context

Customers of Harrods' online store should stay vigilant for potential phishing and social engineering attempts that use stolen personal information . Be cautious of unexpected emails or texts and avoid clicking on links from unknown senders.

This incident highlights a growing trend of cybercriminals targeting supply chain partners to access data from major corporations . Harrods has proactively informed affected customers and notified relevant authorities, including the Information Commissioner’s Office (ICO) .