What happened, who was affected, and what we can learn…
Harrods
Date Reported: 26th-29th September, 2025
No. of UK Individuals Affected: ~430,000 (Customer Records).
Data Exposed or at Risk: Names, Email Addresses, Phone Numbers, Postal Addresses (No Passwords or Payment Data).
ICO Response: Harrods confirmed it has notified the ICO and relevant authorities; ICO investigation ongoing.
Summary: Attackers breached a third-party supplier linked to Harrods’ e-commerce stack and exfiltrated a marketing/customer dataset. Harrods says core systems were not compromised; notifications have been sent to affected customers.
Commentary: Another reminder that your risk surface includes your vendors. Treat marketing and “non-core” systems as high-value; they hold live identifiers, are often broadly accessible, and can be poorly segmented.
Imgur/MediaLab (Provisional ICO Enforcement)
Date Reported: 10th September, 2025 (Notice of Intent Issued)
No. of UK Individuals Affected: Not Disclosed (Global Platform; UK Users Implicated).
Data Exposed or at Risk: Historical Account Data (Per Ongoing investigation).
ICO Response: Notice of intent to impose a monetary penalty on MediaLab (Imgur’s owner); findings are provisional pending representations.
Summary: The ICO announced provisional findings and an intent to fine MediaLab over Imgur-related data protection failings. The decision is not final; sanctions may change following formal representations.
Commentary: Even without a final penalty, this signals the ICO’s willingness to act against non-UK platforms where UK users are affected. It’s also a cue for UK organisations using global SaaS; ensure your vendors meet UK GDPR standards and can demonstrate it.
Insights for UK Organisations
- Third-party risk is the front door. The Harrods incident illustrates how marketing and e-commerce auxiliaries can leak large volumes of PII even when “core” systems stay clean.
- Provisional enforcement matters. ICO notices of intent can foreshadow significant penalties and should trigger board-level risk reviews for any similar processing.
- Communications discipline counts. Early, clear customer notices and regulator engagement reduce secondary harm and reputational drag.
Legislative Context
The Data (Use and Access) Act 2025 is moving through staged commencement and consultation. Controllers should track the ICO’s DUAA consultations (e.g., recognised legitimate interest, complaint handling) and prepare to evidence compliance.
Conclusion
September shows how outsourced e-commerce and marketing stacks remain a rich target. Vendor controls, data minimisation, and robust breach playbooks are non-negotiable. Meanwhile, the ICO’s provisional action in the Imgur matter underscores that UK users’ rights travel across borders; and so does UK regulatory scrutiny.
Disclaimer
This report is based on public disclosures, media reports, and ICO updates available at the time of writing. Figures for affected individuals may be estimated where not officially disclosed. This post is intended for informational purposes only and does not constitute legal advice.
Sources:
