Dutch cosmetics company Rituals said attackers stole personal information from its My Rituals membership database, affecting an undisclosed number of customers. The company disclosed the breach in a Wednesday notice after it detected unauthorized downloads earlier this month.
KEY FACTS
- Incident Unauthorized downloads from the My Rituals membership database
- Data exposed Names, email addresses, phone numbers, dates of birth, gender and home addresses
- Not accessed Passwords and payment information
- Response Authorities were notified and access was blocked
A company disclosure said the stolen records may include full name, email address, phone number, date of birth, gender and home address, depending on what customers shared. Rituals said no passwords or payment information were accessed.
The company said it has contained the breach by blocking the attackers’ access and has not found evidence that the data has been posted online. It also said it has started an in-depth forensic investigation to determine how the intrusion happened and what steps could reduce the risk of a repeat.
The breach affects members of the My Rituals loyalty program, which offers rewards, gift-with-purchase benefits and birthday gifts. Rituals did not say how many customers were affected, although it said the program has more than 41 million members.
Rituals said it reported the incident to relevant authorities and informed affected customers directly. The company also said some customers in the United States were notified. No threat group has claimed responsibility, and the nature of the attack has not been disclosed.
WHY IT MATTERS
The breach affects a large customer loyalty database and includes contact and demographic details that can be used in phishing or other scams. Because Rituals said passwords and payment data were not exposed, the most immediate risk appears tied to personal information rather than financial access.