Landmark London department store Harrods has warned that a number of its shoppers have been contacted by the cyber criminals behind the theft of their personal data from its IT systems.
Harrods had previously stated that it had been contacted by the hackers itself, and that it was not engaging or negotiating with them. The high-end retailer urged customers to follow similar protocols, in line with generally accepted expert advice.
“We are aware that some e-commerce customers have been directly contacted by someone purporting to have taken some personal data from one of our third-party providers’ systems,” a Harrods spokesperson told Computer Weekly.
“We have notified all relevant authorities, including the National Cyber Security Centre and the Metropolitan Police Cyber Crime unit, and they are actively investigating.
“Negotiating with cyber criminals does not result in any guarantees as to what they may do with the information they have accessed,” the spokesperson said.
“We apologise to customers for any inconvenience and would like to reiterate that the personal data accessed is limited to basic personal identifiers such as name and contact details.”
Computer Weekly contacted Harrods to establish details of the nature of these contacts, but the organisation declined to provide additional information.
It is possible that the hackers are attempting to extort individuals whom they perceive to be of high net worth.
In some instances, particularly ransomware attacks, it is also not unknown for cyber criminals to contact customers to urge their victims to comply with extortion demands.
However, at the time of writing, there is no indication that Harrods has been hit by ransomware.
Third-party risk to reputation
The intrusion at Harrods was discovered last week, and the retailer has stated that it was orchestrated via the systems of an as-yet undisclosed third-party IT supplier.
The attackers made off with the personal data of 430,000 shoppers, although at the time of writing, no credit card or other financial details are known to have been compromised.
“Harrods’ second breach in six months should remove any illusion of safety through prestige. The retailer may not be engaging with the attacker, but cyber criminals are certainly engaging with them and the brand is paying the price,” said EclecticIQ CEO Cody Barrow.
“This incident wasn’t a direct hit, but a reminder that supply chains are now battlegrounds. Customer data, loyalty tags and contact info are enough to launch highly convincing scams and cause long-term damage to trust. Once again, attackers didn’t need to storm the front door when a back entrance was wide open.
“The alarm has been ringing for years. What’s changed is the cost of ignoring it – regulatory fines that hit the bottom line, customer defection that damages valuation, and personal board-level accountability that follows executives home. The question isn’t whether to act, it’s whether you act now or after your brand takes the hit,” said Barrow.
The incident is the second cyber attack to befall Harrods this year – in May, the retailer was struck in a wave of incidents attributed to the Scattered Spider gang, but unlike other victims such as Marks and Spencer (M&S) and Co-op Group, it appeared to emerge from the attack largely unscathed. There is no indication that the two incidents are in any way linked.
