Cyberattack on Harrods exposes 430,000 user records

On September 26, 2025, the luxury department store Harrods, located in London, United Kingdom, reported a cyberattack on one of its external suppliers that affected its customer data.

Harrods described the security breach in an email sent to its customers. It is estimated that approximately 430,000 customer records were affected by the attack. The compromised data contains basic customer identification information, such as names, email addresses, contact information, and references associated with loyalty and marketing programs.

According to media reports, the attackers attempted to contact Harrods, but the company has stated that it will not engage with them. In fact, the company has described the attack as isolated and contained, further detailing that this attack is unrelated to the recent intrusion attempt detected in April of the same year.

Harrods said it is working with British authorities and regulatory bodies and will strengthen its systems and oversight of third-party vendors.