Rituals Confirms April Data Breach Exposing 41+ Million Members’ Personal Data

Rituals confirmed an April unauthorized download that exposed personal data of over 41 million members, including names, birthdates, and contact details. The company disclosed the breach on Wednesday after a customer email was verified by TechCrunch.

Context: Rituals, a Netherlands‑based cosmetics retailer, operates a membership program with more than 41 million customers and reported €2.4 billion ($2.8 billion) in revenue for 2025. The breach notice followed a string of similar intrusions at UK retailers such as Co‑op and Marks & Spencer.

Key Facts: The unauthorized download occurred in April and exfiltrated full names, dates of birth, gender, postal and email addresses, phone numbers, preferred store location, and account type. Rituals said the data pertains to members in Europe, the United Kingdom, and the United States, though it did not provide an exact count of affected U.S. customers. The company has not disclosed the attack vector, threat actor identity, or whether any ransom demand was received, stating its investigation is ongoing.

What It Means: Exposed personal data increases the risk of identity theft, phishing, and credential stuffing attacks against affected individuals. Regulators may scrutinize Rituals’ data protection practices under GDPR and comparable U.S. state privacy laws, potentially leading to fines or mandated remediation. Customer trust could erode, impacting future membership enrollment and brand loyalty.

Mitigations: Security teams should enforce multi‑factor authentication on all privileged accounts, monitor for anomalous data access patterns using SIEM rules aligned with MITRE ATT&CK T1078 (Valid Accounts) and T1041 (Exfiltration Over Command‑and‑Control Channel), deploy data loss prevention controls to detect large‑scale outbound transfers, and ensure databases are patched against known vulnerabilities such as CVE‑2023‑22515 (Atlassian Confluence) if applicable. Regular credential rotation and least‑privilege access reviews further reduce exposure.

Watch for Rituals’ forthcoming investigation findings, any regulator notifications, and signs of extortion attempts linked to the stolen data.