Harrods blames supplier for second cyberattack of 2025

Don’t worry – only basic personal information has been compromised, claims Harrods

High-end retailer Harrods has blamed a supplier for its second cyberattack of 2025, which saw the data theft of information relating to around 430,000 customers.

The company began notifying the affected customers last week, claiming that the supplier responsible had isolated and contained the incident. It added that no financial information or sensitive information, such as passwords, were compromised.

In a statement, the company said: “We have been notified by one of our third-party providers that some Harrods e-commerce customers' personal data has been taken from one of their systems.

“The third party has confirmed this is an isolated incident which has been contained, and we are working closely with them to ensure that all appropriate actions are being taken. We have notified all relevant authorities.”

It added that it had “received communications from the threat actor and will not be engaging with them”.

However, while the details stolen might be fairly mundane they could still be used in targetted phishing attacks or even as the basis for identity theft.

It is the second time this year that Harrods has been targetted. The attack earlier this year was linked with the Scattered Spider threat group. In response to that attack in May, the company cut off internet access to its sites as a precaution, it claimed, although such a response may indicate a more serious threat than the company was prepared to admit.

This year, a number of high profile businesses have been affected by debilitating cyber attacks, including other retailers – Marks & Spencer and the Co-op – and Jaguar Land Rover (JLR).

JLR is still recovering from the attack at the beginning of September, being forced not just to shutdown and rebuild critical systems, but also manufacturing. Moreover, as a result, it has turned to government to guarantee a £1.5 billion loan to help it overcome the financial implications of the cyberattack.

Marks and Spencer took four months to restore its click-and-collect service following a debilitating attack in April, an attack that also compromised customer data. Like Harrods, that attack was linked to the Scattered Spider threat group. That group has also been implicated in attacks on the financial sector.

Unlike most threat groups, which are either state-linked or based in parts of the world out-of-reach of US or European justice systems, Scattered Spider is believed to be based in the US and UK.

“The group – which has some members as young as 16 – first gained global recognition in September 2023 when they successfully hacked the internal systems of both Caesars Entertainment and MGM Resorts, obtaining sensitive data they used to extort the casinos,” according to cybersecurity researchers SafeBreach.

The group typically try to gain access in one of three ways, according to SafeBreach senior sales engineer Adrian Culley: Phishing and helpdesk impersonation; multi-factor authentication ‘push bombing’; and SIM swapping.

Push bombing takes advantage of a compromised user passwords to flood accounts smartphones with repeated multi-factor push notifications in the hope that the employee will accept one of them, just to make them stop. Once they do, the attackers can gain access.

SIM swapping involves fooling a mobile carrier to port targetted phone numbers to a SIM card they control, enabling them to intercept SMS-based multi-factor authentication codes and take over accounts.

Two members of the group were arrested and charged two weeks ago over attacks on Transport for London earlier in the month, which reportedly cost the publicly owned group £39 million.

In July, four people were arrested over the cyber attacks on M&S, the Co-op and the earlier attack on Harrods. They were arrested on suspicion of blackmail, money laundering, participating in the activities of an organised crime group and offences under the Computer Misuse Act. According to the BBC, one of the 19-year-old suspects is from Latvia, with the other three are UK nationals.

In the US, meanwhile, investigators have tied Scattered Spider to some $115 million in ransomware attacks. Members of the group, meanwhile, have cybercrime records going back to around 2021, including attacks on Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile and Uber.

Elsewhere today, operations at Japanese brewing giant Asahi have also been crippled following a cyberattack, with shipping, orders and customer service all suspended. Its European operations, however, remain unaffected.