Harrods, the storied luxury department store in London’s Knightsbridge district, has confirmed that some of its customers’ personal information was stolen in a recent data breach. The incident, which came to light on September 27, 2025, is the latest in a string of high-profile cyberattacks targeting major U.K. retailers this year, according to reports from FOX Business and CyberNews.
The breach involved the systems of a third-party provider rather than Harrods’ own internal infrastructure. A spokesperson for Harrods told FOX Business, “We have been notified by one of our third-party providers that some Harrods e-commerce customers’ personal data has been taken from one of their systems.” The compromised data includes the names and contact details of certain online customers. However, both Harrods and the third-party provider have emphasized that no passwords or payment details were affected by the breach.
Harrods, which is currently owned by the Qatar Investment Authority, has moved quickly to notify affected customers and all relevant authorities. The company described the breach as an “isolated incident” that has now been contained. “We have informed affected customers that the impacted personal data is limited to basic personal identifiers, including name and contact details, but does not include account passwords or payment details,” Harrods said in a statement quoted by CyberNews. “The third party has confirmed this is an isolated incident which has been contained, and we are working closely with them to ensure that all appropriate actions are being taken. We have notified all relevant authorities.”
The store’s spokesperson further clarified to FOX Business that “no Harrods system has been compromised, and it is important to note that the data was taken from a third-party provider and is unconnected to attempts to gain unauthorized access to some Harrods systems earlier this year.” This distinction is significant, as Harrods was previously targeted in May 2025, when hackers attempted to breach its systems. That attack was one of three major cyber incidents affecting U.K. retailers within a two-week span, as reported by Reuters.
While the latest breach appears to be less damaging than some of the other cyberattacks that have rocked the British retail sector, it underscores the persistent threat that cybercriminals pose to even the most established brands. The Scattered Spider ransomware group, a notorious hacking collective, has claimed responsibility for a series of cyberattacks on Harrods, Marks & Spencer, and the Co-op earlier in 2025, according to CyberNews. The fallout from these attacks has been severe: the Co-op reported a staggering £206 million ($276 million) hit to its revenue and estimated a £120 million ($161 million) loss in full-year profits. Meanwhile, Marks & Spencer was forced to suspend online order processing for clothing and home goods for an astonishing 46 days.
The British government has responded to this wave of cybercrime with increased vigilance. In July 2025, the National Crime Agency (NCA) arrested four individuals in connection with the hacks that targeted Harrods, Marks & Spencer, and the Co-op. Law enforcement officials have not disclosed the identities of those arrested or provided further details about the ongoing investigation, but the arrests signal a renewed determination to crack down on cybercriminals operating within and beyond the U.K.’s borders.
Harrods’ swift response to the latest breach has been widely noted. The company has not only communicated directly with affected customers but also worked closely with its third-party provider to shore up security and prevent further unauthorized access. “We are working closely with them to ensure that all appropriate actions are being taken,” the Harrods spokesperson reiterated to FOX Business. The company’s transparency and prompt notification of both customers and authorities have been praised by some cybersecurity experts as a model for crisis management in the digital age.
Despite the disruption, Harrods has assured the public that its core operations remain secure. The company emphasized that none of its internal systems were compromised and that the breach did not affect sensitive customer data such as account passwords or payment information. This reassurance is particularly important for a retailer of Harrods’ stature, which has built its reputation over nearly two centuries by offering an exclusive shopping experience to a global clientele.
Founded in the 1800s, Harrods is synonymous with luxury and high fashion, boasting more than 3,000 brands under its iconic roof. Its flagship store in Knightsbridge is a landmark destination for tourists and Londoners alike, attracting millions of visitors each year. The store’s ownership by the Qatar Investment Authority has only heightened its profile on the international stage.
The recent breach, while contained, highlights a growing vulnerability in the retail sector: the reliance on third-party providers for critical IT services. As companies outsource more of their operations to specialized vendors, the security of customer data increasingly depends on the robustness of these partners’ systems. Cybercriminals, for their part, are quick to exploit any weaknesses in this complex web of relationships.
British companies have faced a surge of cyberattacks in recent years, with the financial and reputational costs mounting. According to Reuters, such incidents have cost U.K. businesses tens of millions of pounds and, in some cases, caused months of disruption. The spate of attacks in 2025 has prompted calls for stronger cybersecurity measures, better coordination between retailers and their vendors, and more aggressive law enforcement action against hacking groups.
For consumers, the Harrods breach serves as a reminder to remain vigilant about their personal information. While no passwords or payment details were compromised in this case, the exposure of names and contact information can still leave individuals vulnerable to phishing attempts and other forms of identity theft. Experts recommend that customers monitor their accounts for suspicious activity and be wary of unsolicited communications purporting to be from trusted brands.
As the investigation into the Harrods breach continues, industry observers are watching closely to see how the retailer and its peers adapt to the evolving threat landscape. The hope is that lessons learned from this and other recent incidents will lead to stronger defenses and greater resilience in the face of increasingly sophisticated cyberattacks. For now, Harrods is focused on rebuilding trust with its customers and ensuring that their data remains safe in an ever more connected—and perilous—digital world.
With cyber threats showing no signs of abating, the Harrods incident stands as a stark illustration of the challenges facing retailers in the 21st century. The stakes are high, and the margin for error is shrinking. For Harrods and its customers, the path forward will require vigilance, transparency, and a renewed commitment to security at every level.
