Luxury retailer Harrods has confirmed that cybercriminals accessed customer data through a third-party IT provider, affecting as many as 430,000 records. The company revealed the breach in an email to customers on September 26, 2025, stressing that no payment details or account passwords were exposed. Harrods acknowledged contact from the attackers but stated it would not engage, indicating a ransom demand may have been made.
The incident follows a series of cyberattacks targeting the UK retail sector this year, with high-profile chains such as M&S and Co-op also impacted. Harrods itself faced attempted intrusions in May 2025, when it swiftly restricted internet access to contain the threat and confirmed no customer data had been compromised at that time. The company said this latest breach was unrelated, as hackers exploited a weakness in a supplier’s system rather than its own networks.
According to Harrods, the stolen information includes basic personal details, loyalty card data, and marketing preferences, while its internal systems remain secure. The retailer has notified authorities and is working with the third-party provider to address the issue. Customers are being urged to remain vigilant by monitoring financial statements and treating unexpected emails or calls with caution.