Customer data exposed in Harvey Nichols data breach

Attributed to a system vulnerability

The luxury department store has confirmed names and phone numbers are among the leaked data.

Luxury British department store has announced that it has been the victim of a data breach, in a notification sent to affected customers.

The incident, which the store discovered on 16th September, involved the compromise of sensitive data such as names, email addresses, phone numbers and home addresses.

The retailer believes no financial or password data was accessed. However, it did not say when the attackers initially breached its network.

Harvey Nichols has attributed the incident to a vulnerability in its systems, which has since been patched.

"The issue that allowed the attack to succeed has now been closed so our system is once again fully secure, and we have engaged experts to ensure it remains so," the store told customers, according to The Register.

No misuse of customer data has been reported at this time. However, the company warned users that the stolen information could still be used in phishing or social engineering scams to obtain more sensitive details.

"You should be vigilant to the risk of fraudsters using your contact details (e.g., phone, email address) to attempt to get more sensitive information from you.

"If you receive suspicious SMS/texts, always forward them to 7726. No matter which mobile operator you use, this number is used in the UK to report spam."

The retailer also detailed the steps it is taking to prevent future incidents.

In its letter to customers, Harvey Nichols says it “regularly” contracts third-party companies to conduct weekly and monthly security scans, ensuring its partners’ development processes remain secure.

Additionally, the company tests its website and loyalty app annually, or whenever a significant change is made.

The UK's Information Commissioner's Office (ICO) is investigating the incident and has been provided with details by Harvey Nichols.

The breach comes on the heels of a similar attack on MarineMax, a high-end boat seller, in March of this year.

Security experts have warned that cyberattacks targeting luxury retail brands are on the rise.

Suzan Sakarya, a senior manager in security strategy at Jamf, noted that the affluent clientele of high-end retailers makes them an attractive target for criminals.

"The theft of personal information can be extremely damaging for organisations, resulting in reputational harm, financial losses, and legal issues. Harvey Nichols' customers should remain vigilant for fraud or unsolicited contact and be wary of phishing attacks,” she added.

"This serves as a case in point for other businesses, emphasising why it is critical to have effective patch management processes and conduct regular audits, so vulnerabilities can be quickly identified and addressed. It should also be accompanied by other practices such as enforcing multi-factor authentication, using secure passwords or password management software, and ensuring users are aware of security risks."