Rituals says hackers stole member data in breach affecting Europe, UK customers

Another retailer has lost loyalty-program data, showing how membership systems have become a soft target even when no payment cards are exposed. Rituals said hackers made an unauthorized download of customer records in April, pulling information from its My Rituals database that could include full names, dates of birth, gender, postal and email addresses, phone numbers, preferred store and account type.

The Netherlands-based cosmetics chain said its investigation was ongoing, but it told customers that no passwords or payment information were involved and that access was blocked immediately after the breach was discovered. Eline van Malssen, the company’s spokesperson, confirmed the incident affected membership data for customers in Europe and the United Kingdom, with some United States customers also affected. Rituals did not disclose how many people were hit or explain the attack method.

The company’s own FAQ said the wave of fake birthday gift scam messages circulating alongside the incident did not come from Rituals and had no link to the breach. That distinction matters because membership databases often bundle enough personal detail to make phishing far more convincing. Names, birthdays, phone numbers and store preferences can be used to impersonate a brand, guess security questions or tailor messages that look routine.

Rituals’ scale also makes the breach more significant. Its public business highlights list more than 41 million My Rituals members, more than 12,000 employees worldwide and about €2.43 billion in net revenue for fiscal 2025. That combination of customer reach and personal-data density makes the company a valuable target for criminals looking to resell records or use them in follow-on fraud. The Dutch data watchdog, the Autoriteit Persoonsgegevens, has warned that breaches can have serious consequences including identity fraud, while the UK’s Information Commissioner’s Office says organizations should maintain breach response plans and keep records of personal data breaches.

The incident lands in a retail sector already rattled by similar attacks. Co-op later said hackers stole data belonging to all 6.5 million members after its cyberattack, and Marks & Spencer confirmed customer data theft after its April 2025 breach. Together, the cases suggest retailers are still collecting rich customer profiles for loyalty and marketing while attackers keep finding them easier to monetize than many companies seem prepared to admit.