Opening lines from a whiskey soaked skeptic
Pour yourself a glass of bourbon and brace for the usual data breach performance art. Harrods, that paragon of luxury and questionable cyber hygiene, confirms that some personal details were taken in a breach. The public-facing line reads like a confession dressed up as a press release – a reminder that the attackers may have had access long enough to pocket a trophy bag of customer data, and the rest of us are left to pretend this is surprising.
The crime and the arrests
SecurityWeek reports that four people were arrested in July on suspicion of involvement in cyber attacks against Harrods and two other leading British retail chains, Marks & Spencer and the Co-op. Translation: the crime is not a myth invented by a vendor slide deck; there are real people on the other side of the keyboard, and authorities are occasionally catching up with them. The headline is loud, but the implementation details in the public sphere stay maddeningly vague, because that is how we like our breaches – spicy but non-actionable.
Why this story keeps happening
What we are really watching here is a two-step theater production: first, the breach is announced with enough specifics to keep customers from oversharing their credentials on dating apps; second, the remediation appears to be mostly procedural apologies and a handful of police press conferences. This is not about sensational global espionage; it is about ordinary retail IT that still believes a two factor in name only equals security. The pattern repeats because vendors sell hope in the form of glossy dashboards, and CISOs nod along like this time the patch will finally fix the basement flood of exfiltrated data.
What to fix, in plain terms
First, stop walking past the obvious: implement robust, tested security controls that scale with customer data. Encrypt sensitive fields at rest and in transit. Apply strict access controls and monitoring so analysts know when data leaves the database, not when a user logs in. Patch systems, including those behind the most visible e commerce fronts, and validate your supply chain with real third party risk assessments. Finally, assume breach and run tabletop exercises that involve real attackers with real tools, not the vendor playbook.
Bottom line and a reminder
If your plan to protect customer data relies on a single security control mislabeled as MFA or an alerting rule that only fires when an employee trips over a misconfigured VPN, you are not doing security – you are doing risk management theater. Open a bottle of whiskey, admit that this is the industrys perpetual motion machine, and fix the basics before the headlines go from Harrods to Home Depot. Read more about the Harrods breach here: Read more.
