British luxury department store Harrods has been contacted by the hackers behind a data breach at one of its third-party providers which impacted 430,000 customer records.

On Tuesday, the luxury department store released a statement saying it would not engage or negotiate with the cyber criminals.

"We are aware that some e-commerce customers have been directly contacted by someone purporting to have taken some personal data from one of our third-party providers’ systems and we have notified all relevant authorities, including the National Cyber Security Centre and the Metropolitan Police Cyber Crime unit, and they are actively investigating," it said.

It told customers that negotiating with cyber criminals does not result in any guarantees as to what they may do with the information they have accessed.

On Friday last week, the retailer said that it had been notified by a third-party provider that some of its customers' personal data had been stolen from one of their systems.

Personal data affected by the incident was limited to basic personal identifies, with no payment or order history accessed by the hackers.

At the time, the third-party said that it was an isolated breach which was contained.

On Sunday, the company said it had received communication from the threat actor and that it would not be engaging with them.

“We proactively informed affected e-commerce customers on Friday that the impacted personal data is limited to basic personal identifiers including name and contact details (where this information has been provided)," continued the retailer. "It does not include account passwords or payment details."

Harrods did say that affected customer records may have labels related to marketing and services delivered by Harrods.

While labels could include tier level or affiliation to a Harrods co-branded card, the British retailer explained this information is "unlikely to be interpreted accurately by an unauthorised third party."

Harrods also assured customers that the incident is unconnected to attempts to gain unauthorised access to its systems earlier this year.

In May, Harrods became the third British retailer to be hit by a cyber-attack in the space of two weeks.

The attempted cyber-attack followed similar incidents at The Co-op and Marks & Spencer (M&S).

At the time, the retailer restricted access to its websites in response to the incident.

"Harrods’ second breach in six months should remove any illusion of safety through prestige," said Cody Barrow, former NSA cyber chief and chief executive of cyber threat intelligence firm EclecticIQ. "The retailer may not be engaging with the attacker, but cyber criminals are certainly engaging with them and the brand is paying the price."

Barrow warned that gaining access to customer data, loyalty tags, and contact info are enough to launch highly convincing scams and cause long-term damage to customer trust.

Dennis Martin, crisis management and business resilience specialist at Axians UK said that cyber extortion has evolved beyond basic ransom demands into multi-pronged assaults.

"It’s now increasingly common to see hackers employ the double threat of leaking data publicly, or triple threat of reaching out directly to clients, suppliers and other third parties demanding payment to avoid further expos," he continued. "This widens the blast radius of every breach and turns an incident into a systemic crisis.

"It’s a clear sign that security and resilience must extend beyond your own perimeter."

Mariano Gomide, chief executive of VTEX, the global digital commerce platform used by Walmart, L’Oreal, Cartier and Carrefour, praised Harrods for addressing this breach with clearer incident steps than the "more limited precautionary measures" demonstrated during the May incident as "customers and authorities were informed, attackers were dismissed, and follow-up actions were defined."

"The fact that the compromise originated from a third-party provider underlines one of the most persistent challenges in cybersecurity: supply chain risk," said NDR specialist Jamie Moles, who is senior technical manager at cybersecurity firm ExtraHop. "Retailers can invest heavily in their own defences, but one weak link in a partner’s systems can open the door to large-scale data theft."

---