A major UK retail chain disclosed late yesterday evening that the personal data of approximately 2.3 million customers had been exposed following a security incident at a third-party logistics and fulfilment vendor the retailer has used since 2021.
The breach, which the retailer says it became aware of on Tuesday, affected customer records including names, home and delivery addresses, email addresses, telephone numbers, complete purchase histories dating back to 2019, and — in a subset of approximately 340,000 cases — partial payment card data. The retailer has confirmed that full card numbers were not stored by the third party, though truncated card details, expiry dates and billing addresses were among the data held.
The Information Commissioner's Office confirmed it had received a formal breach notification as required under Article 33 of UK GDPR, and said it was "making enquiries" — standard language that does not indicate whether enforcement action is under consideration at this stage. Organisations face potential fines of up to £17.5 million or 4% of global annual turnover for serious data protection failures.
"We take the security of our customers' data extremely seriously and deeply regret that this incident has occurred. We are working urgently with the relevant authorities, our cyber security partners and the affected vendor to understand the full scope of this incident."
The third-party vendor, which provides warehousing, logistics and order fulfilment services to multiple UK retail brands in addition to the retailer named in the disclosure, is understood to have suffered a ransomware attack that compromised its customer data management platform. Security sources familiar with the investigation told WhatLeaked that data is believed to have been exfiltrated during a period of between two and four weeks before the encryption event was detected — a pattern increasingly associated with sophisticated double-extortion ransomware operations.
"The attack surface has shifted significantly in the last eighteen months," said one security researcher who asked not to be named pending publication of a forthcoming industry report. "Tier-one retailers have invested heavily in their own security posture. Their tier-two and tier-three vendors frequently have not. Attackers have noticed."
- Check your email inbox and spam folder — the retailer is contacting affected customers directly with specific details of what data was exposed
- Monitor bank statements and card activity carefully over the coming four to six weeks for any unfamiliar transactions
- Be alert to phishing attempts that may reference your purchase history or delivery address to appear legitimate — this is a primary risk following purchase history exposure
- Consider placing a protective CIFAS marker on your credit file if your address data was confirmed as exposed
- Report any suspected fraud or suspicious contact to Action Fraud: 0300 123 2040 or actionfraud.police.uk
- If you used the same password on the retailer's site elsewhere, change it on all affected accounts immediately
The retailer confirmed it has engaged a specialist cyber incident response firm and has taken steps to terminate its relationship with the affected vendor. It declined to name the vendor, citing the ongoing investigation, though two separate sources have independently identified the company to WhatLeaked. We are withholding the vendor's identity pending further verification.
This is the fourth significant UK retail sector data breach to be publicly disclosed in the past eighteen months, raising broader questions about the contractual security obligations placed on third-party vendors by retailers handling consumer data at scale. Industry observers note that while the UK GDPR places primary accountability on data controllers — the retailers — the practical ability to enforce security standards throughout a complex supplier chain remains a significant challenge.
The ICO has previously fined organisations for failures in their third-party vendor oversight, most recently in a 2024 case involving a financial services firm whose data processor suffered a breach that exposed approximately 900,000 records. That case resulted in a fine of £4.4 million — approximately 1.2% of the controller's annual UK turnover.
WhatLeaked will continue to cover this story as further details emerge from the investigation. Follow our live feed for updates throughout the day.