Harrods has alerted some of its e-commerce customers about a potential data breach involving personal information accessed through a third-party provider.
The luxury department store, based in Knightsbridge, London, confirmed that while customer names and contact details were accessed, sensitive data such as account passwords and payment information remained secure.
The Guardian reported a statement from Harrods: “We have been notified by one of our third-party providers that some e-commerce customers’ personal data has been taken from one of their systems.
“We have informed affected customers that the impacted personal data is limited to basic personal identifiers, including name and contact details, but does not include account passwords or payment details.
“The third party has confirmed this is an isolated incident which has been contained, and we are working closely with them to ensure that all appropriate actions are being taken. We have notified all relevant authorities.”
The company reassured affected customers and the public that this incident is contained and isolated, with no compromise to Harrods' own systems.
It is collaborating with the third-party provider to address the situation and has informed the relevant authorities.
Harrods emphasised that this breach is unrelated to security incidents earlier in 2025.
In May, the company pre-emptively limited internet access across its sites following an attempted breach.
The event follows a series of cyber-related challenges faced by UK retailers, including Marks & Spencer, which experienced significant online disruptions, and the Co-op, which had to temporarily shut down parts of its IT operations in April 2025.
In July, arrests were made in connection with cyber-attacks targeting Harrods, Marks & Spencer and the Co-op.
British authorities detained four individuals, aged between 17 and 20, in relation to these cyber-attacks.
The arrests were part of a broader investigation led by the National Crime Agency into a large-scale organised ransomware campaign.
