Harvey Nichols confirms cyberattack, says customer data leaked
Harvey Nichols, a luxury British department store known for offering high-end fashion, beauty, food and home products, suffered a cyberattack in which criminals stole sensitive user data. The company confirmed the news in data breach notifications it recently began sending to affected customers.
In the email, the company said it had lost people’s names, mailing addresses, phone numbers, company names and email addresses. It described the stolen information as “non-sensitive,” despite the fact that it could be used in dangerous phishing attacks that could result in wire fraud, ransomware attacks and more.
Fortunately, the payment details and login information have not been made public.
Missing key details
Aside from the data breach notification letters, the company has remained tight-lipped about the breach. There was no mention of it on its website or social media accounts. On X, it advises victims to contact them via email for further assistance. As a result, we do not know who the attackers are, when the attack occurred, how they compromised the network, or whether they used malware or ransomware in their attack. We also do not know how long the attackers were on the target infrastructure, how they were discovered, or whether they contacted the company with ransom demands. TechRadar Pro have contacted the company with these questions and will update this article once we hear back.
Harvey Nichols did say that the hole through which the attackers gained access has been patched since the breach was first noticed. “The issue that allowed the attack to succeed has now been fixed, so our system is once again fully secure and we have experts in place to ensure it remains that way,” the company said. The company also said it had not seen any evidence of data misuse.
“Remain vigilant if you receive suspicious emails or phone calls claiming to be from Harvey Nichols,” the company concluded. The Information Commissioner’s Office and the Data Protection Commission in Ireland have both been notified of the breach.
Via The register