A major UK retail chain disclosed late yesterday evening that the personal data of approximately 2.3 million customers had been exposed following a security incident at a third-party logistics and fulfilment vendor the retailer has used since 2021.
The breach, which the retailer says it became aware of on Tuesday, affected customer records including names, home and delivery addresses, email addresses, telephone numbers, complete purchase histories dating back to 2019, and — in a subset of approximately 340,000 cases — partial payment card data. The retailer has confirmed that full card numbers were not stored by the third party, though truncated card details, expiry dates and billing addresses were among the data held.
The Information Commissioner's Office confirmed it had received a formal breach notification as required under Article 33 of UK GDPR and said it was "making enquiries" — standard language that does not indicate whether enforcement action is under consideration at this stage.
"We take the security of our customers' data extremely seriously and deeply regret that this incident has occurred. We are working urgently with the relevant authorities and our cyber security partners to understand the full scope."
The third-party vendor, which provides warehousing, logistics and order fulfilment services to multiple UK retail brands, is understood to have suffered a ransomware attack that compromised its customer data management platform. Security sources told BriefingHub that data is believed to have been exfiltrated during a period of between two and four weeks before the encryption event was detected — a pattern increasingly associated with sophisticated double-extortion ransomware operations.
"The attack surface has shifted significantly in the last eighteen months," said one security researcher who asked not to be named. "Tier-one retailers have invested heavily in their own security posture. Their tier-two and tier-three vendors frequently have not. Attackers have noticed."
- Check your email inbox and spam folder — the retailer is contacting affected customers directly
- Monitor bank statements and card activity carefully over the coming four to six weeks
- Be alert to phishing attempts that may reference your purchase history to appear legitimate
- Consider placing a CIFAS marker on your credit file if your address data was confirmed as exposed
- Report any suspected fraud to Action Fraud: 0300 123 2040 or actionfraud.police.uk
The retailer confirmed it has engaged a specialist cyber incident response firm and has taken steps to terminate its relationship with the affected vendor. This is the fourth significant UK retail sector data breach to be publicly disclosed in the past eighteen months. BriefingHub will continue to cover this story as further details emerge.