Rituals Confirms Data Breach Exposing Customer Personal Information

Netherlands-based cosmetics giant Rituals has confirmed a data breach affecting customers' personal information after hackers stole reams of data from its membership database. The company disclosed the breach on Wednesday, according to an email sent to customers that TechCrunch has viewed and verified. Rituals said it identified an "unauthorized download" of members' data in April that contained customers' full name, date of birth, gender, postal and email address, and phone number as well as their preferred Rituals store, and account type. When reached by TechCrunch, Rituals spokesperson Eline van Malssen said the hacker stole membership data about customers in Europe and the United Kingdom. TechCrunch has learned that some customers notified by Rituals are based in the United States. The spokesperson confirmed the incident also affects some U.S. customers. Rituals did not describe the nature of the cyberattack and the company said its investigation was underway to understand how the data breach happened. The cosmetics giant is the latest retailer to have customer membership data stolen in the past year, following a string of intrusions at U.K. grocery and shopping chains Co-op and Marks & Spencer, among others. Customer records can be attractive targets for hackers who steal the data and extort the company for a ransom in exchange for not publishing the information online. When reached with questions about the incident, a Rituals spokesperson declined to comment on whether the company received any communication from the hackers, to share a more precise timeline of the breach, or to provide the exact number of affected members, citing unspecified "security reasons."