Cybercrooks strut away with haute couture Harvey Nichols data

High-end British department store Harvey Nichols is writing to customers to confirm some of their data was exposed in a recent cyberattack.

Customers have already received, or are set to receive, letters this week with details of the incident, which exposed their name, company (if provided), phone number, as well as email and home addresses.

Highly sensitive information like passwords and financial information isn't believed to be affected.

Understandably, a bunch of customers are not happy.

Harvey Nichols said it became aware of the breach on September 16, but didn't say when the attackers first found themselves inside the network.

The Register asked the retailer for more information on this and other aspects of the case, including if ransomware was involved and how many people were affected, but it didn't reply in time for publication.

We also asked why it was so difficult to find information about the break-in through its official channels. After some trawling of Harvey Nichols' website, we were unable to locate a link to information about the digital assault, despite it being slapped all over social media.

Alluding to a potential vulnerability, the document sent to customers states: "The issue that allowed the attack to succeed has now been closed so our system is once again fully secure, and we have engaged experts to ensure it remains so."

Few other details about the case were communicated to those affected, other than repeated warnings to be cognizant of the potential for the exposed data to be used in targeted phishing attacks.

"Your personal data was exposed, so while we are not aware that it has been misused in any way, there remains a possibility that your data could be used to scam you," the notification adds. "While no financial or password data has been exposed, you should be vigilant to the risk of fraudsters using your contact details (e.g. phone, email address) to attempt to get more sensitive information from you.

"In particular, you should look out for phishing emails or emails that look suspicious (e.g. emails you receive that you are not expecting). You should also keep an eye out for any fraudulent activity on all your accounts. If you receive suspicious SMS/texts, always forward them to 7726. No matter which mobile operator you use, this number is used in the UK to report spam."

The UK's 7726 service is operated by security shop Proofpoint's Cloudmark division and most major mobile network operators are enrolled in the service allowing users to report unwanted calls and texts.

On alphanumeric phone keypads, 7726 spells SPAM, so it's easy enough to remember. The service has been around for more than a decade.

In what seems like a rarity for breach notifications nowadays, Harvey Nichols explicitly apologizes to the affected individuals. It says in the letter: "We are very sorry for the inconvenience caused on this occasion. But rest assured, we take our customers' data extremely seriously. 

"We have taken immediate steps to secure all data (supported by a cybersecurity expert) to ensure that our processes and systems remain as secure as possible going forward."

The letter adds that the retailer's website and loyalty app are put through "complete 360 tests" once annually or before any major changes to either platform. Harvey Nichols contracts different third-party companies to run weekly and monthly security scans to validate its partners' development pipelines.

The Reg asked the Information Commissioner's Office (ICO) and the National Crime Agency (NCA) whether they were made aware of the incident. The NCA told us it was not.

A spokesperson for the ICO told us: "Harvey Nichols has made us aware of an incident and we are accessing the information provided." ®