top of page
Search

Harrods Data Breach: Another Lesson in Supply Chain Risk

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • Oct 13
  • 2 min read

Luxury retailer Harrods has confirmed a data breach affecting 430,000 e-commerce customers, following the compromise of one of its third party suppliers. Hackers stole names, contact details, and marketing-related tags  tied to Harrods’ loyalty program and co-branded credit cards.

 

The attackers contacted Harrods directly in an extortion attempt, but the company refused to engage and reported the breach to UK regulators. Customers have been advised to watch for phishing and social engineering scams.

 

Root Cause: Third-Party Compromise

This incident is not Harrods’ first cyber challenge — the retailer successfully repelled a ransomware attack earlier this year attributed to Scattered Spider. However, this time, the intrusion occurred via a supplier, demonstrating yet again that supply chain attacks remain one of the greatest cybersecurity threats.

 

Another breach involving a third party — unfortunately, something we must start to expect. Almost every major cyber report in recent years lists supply chain attacks and third-party compromise among the top cyber risks. What concerns me most is that many organizations still treat supply chain security as a compliance exercise, not a real risk management process. They check if vendors have ISO certificates, SOC2 reports, or some attestation — but few ever evaluate the maturity and effectiveness of those controls.

 

ree

Let’s be honest:

☑️ ISO27001 and similar certifications have become too watered down.

☑️ SOC 2 is stronger, but the rise of automated audit platforms promising attestation in a few weeks raises serious conflict-of-interest concerns.

☑️ Most clients rarely read beyond the “certificate/opinion” and ignore key sections of the report.

 

Organizations must start demanding real evidence of cybersecurity capability, not just paper-based compliance. That means:

✅ Setting clear, detailed vendor requirements, including a list of controls.

✅ Evaluating technical control effectiveness, not just documentation.

✅ Ensuring audit independence and quality.

✅ Continuously monitoring third-party risk — not once a year.

 

I spoke about this in detail at the ISACA Warszawa event — you can find the recording here: link

 

If we don’t change our approach, breaches like this will keep happening — not because hackers are too advanced, but because we continue to make the same mistakes.


 
 
 

Comments

Stay in touch

kontakt@itgrc.pl

BW ADVISORY sp. z o.o. 

ul. Boczańska 25
03-156 Warszawa
NIP: 525-281-83-52

Privacy policy

  • LinkedIn
  • Youtube
bottom of page