Harrods latest breach renews a costly question for insurers: was the retailer covered?

It’s not been a great year for the world’s most famous department store. A hack earlier in the year, revelations that former owner Mohamed Al-Fayed had assaulted staff members and now? Now Harrods has told customers that personal information may have been taken after a system operated by a third-party provider was compromised - a fresh blow for a retail sector already rattled by a string of high-profile intrusions this year.

The Knightsbridge department store said the material taken from the supplier’s systems is “limited to basic personal identifiers, including name and contact details, but does not include account passwords or payment details.” The company added it had “been notified by one of our third-party providers that some Harrods e-commerce customers’ personal data has been taken from one of their systems.” 

For risk managers and underwriters the immediate technical facts - what fields were exposed, whether payments or credentials were included, and whether the intrusion is linked to earlier attempts - matter. But the commercial question that will quickly dominate boardroom conversations is simpler and harder: who will bear the bill? When large retailers are hit, the balance sheet impact can be measured in tens or even hundreds of millions of pounds - as the Co-op’s experience earlier this year demonstrated - and whether that loss sits with the company or is offset by an insurer makes a material difference for shareholders and policy capacity alike. 

Read more: Co-op confirms it had no cyber cover

The spring wave of attacks that affected Marks & Spencer, the Co-op and Harrods prompted reporting that some of the targets were without dedicated cyber cover. Industry reporting at the time suggested Harrods, alongside the Co-op, “did not have cyber coverage in place,” a distinction that contrasts with peers that have looked to their cyber programmes for at least partial relief. Those accounts intensified scrutiny of boards that weigh insurance premia against spending on defensive technology. 

The Co-op’s case remains instructive for insurers: the mutual has acknowledged it did not hold dedicated cyber insurance for the April attack and has taken an outsized hit to revenue and profit as a result. The group’s reported losses from the incident - in the order of hundreds of millions in foregone sales and operating impact - are being borne by the business, a public example of the downside of self-insurance for cyber risk. 

Those realities raise three immediate issues for the London market and buyers: 

Read more: Cyber insurance claims steady, but risk environment remains complex 

• Scope and second-party risk. This latest Harrods notice centres on data stolen from a supplier’s system. That highlights how vendor ecosystems - cloud providers, fulfilment platforms, marketing partners - create contagion points that can be outside a policyholder’s direct control. Underwriters are likely to ask detailed questions about vendor contracts, security assurances and indemnities when pricing large retail accounts. 
   
• Policy design and what “cover” actually means. Cyber policies vary markedly in scope: incident response and forensic costs, notification and credit-monitoring, business interruption and contingent BI, ransom payments, and amounts tied to regulatory fines or contractual liabilities are not uniform. The Co-op episode has already sharpened brokers’ messaging that “not having a cyber policy” can lead to material retained losses - and that “having” one is no substitute for testing whether limits and sub-limits match plausible exposures. 
   
• Market capacity and disclosure. As more large-loss events are reported, underwriters will push for greater board-level disclosure of both defensive investments and approaches to risk transfer. Brokers should expect tougher underwriting questionnaires, more site visits and conditionality around vendor risk management in renewal cycles. The commercial trade-off that some boards made - investing in technology rather than buying transfer - is likely to be re-examined in the light of realised losses. 

For insurers there is also an operational angle. Retail-scale breaches generate a mixed claim picture: notification and monitoring costs, regulatory enquiries, contractual exposure to partners and suppliers, and - where business interruption follows system outages - large revenue losses that test aggregate cyber limits. The industry will want to know whether this Harrods incident remains contained to basic identifiers (which still carries remediation and reputational cost) or whether further escalation emerges. Harrods’ statement that passwords and payment data were not affected will be welcomed; insurers and counsel will nevertheless insist on forensic validation. 

Finally, the episode is a reminder to policyholders and brokers that cyber resilience is a dual exercise - prevention and transfer. Boards will increasingly face a binary judgment: can the organisation afford to self-insure the financial fallout if controls fail? The Co-op’s experience suggests the costs of that gamble can be very large. For insurance buyers, the practical takeaway is to map plausible scenarios end-to-end, stress test limits against those scenarios and ensure vendor risk is reflected in placement terms; for underwriters, the case strengthens the argument for granular, evidence-based pricing and tighter conditions on third-party risk. 

What to watch next. Insurers and brokers will be monitoring Harrods’ regulatory filings and any further public disclosures for signs of material financial impact or indications that the retailer does (or does not) intend to claim - and for any downstream liabilities arising from the supplier relationship. The broader market will be watching how the losses from the spring wave are allocated across balance sheets and policies: if more large retail losses are uninsured, that will feed both pricing and capacity dynamics in the cyber market for 2026 renewals