Luxury department store Harrods has notified customers that their personal data may have been compromised in an IT systems breach – the second security incident affecting the retailer this year.

The breach, which Harrods described as an “isolated incident,” impacted some of its e-commerce customers. The company confirmed in a statement that it was alerted by a third-party provider, whose systems were compromised, leading to the data theft.

The stolen information is “limited to basic personal identifiers,” specifically names and contact details of the online customers. Crucially, Harrods was able to reassure the affected individuals that no account passwords or payment details were taken in the breach.

The incident’s source is a third-party provider’s system, which handles data for Harrods’ e-commerce operations. The retailer emphasized that its own internal systems were not compromised, drawing a clear distinction from the earlier May cyber attack when it had to restrict internet access as a precautionary measure.

A spokesman explicitly stated the data was taken from the provider and is “unconnected” to the prior attempt to gain unauthorised access to Harrods’ systems.

The news comes as major UK businesses continue to grapple with persistent cyber threats, which the National Cyber Security Centre (NCSC) CEO called an issue with “real-world impact on real people.” Harrods has notified all relevant authorities and is working closely with the third-party provider, who confirmed the incident has been contained.

This latest breach follows a high-profile cyber attack against Harrods in May, an incident for which four people were later arrested by the National Crime Agency in July, along with similar attacks against retailers Marks & Spencer and the Co-op.

The recurring security issues highlight the growing vulnerabilities that retailers face, particularly through third-party supply chains, in the current landscape of aggressive criminal cyber activity.

