Rituals Confirms Data Breach Exposes Member Names, Emails, Addresses; No Payment Data Stolen

The luxury cosmetics brand Rituals, which reports annual revenues exceeding €1 billion, disclosed the breach earlier this month after detecting an illicit download of part of its members’ database. The company said it acted promptly to stop the exfiltration, launched a forensic investigation and notified the relevant authorities. Affected My Rituals members are now being notified directly.

- Attackers obtained personal data including full name, email address, phone number, date of birth, gender and home address. - Rituals emphasized that passwords and payment card details were not accessed. - The firm has contained the intrusion and is conducting an in‑depth forensic review to determine how the breach occurred. - The breach has been reported to law‑enforcement and data‑protection regulators; no ransomware group has claimed responsibility and the total number of impacted records remains undisclosed.

For members, the exposed information increases the risk of targeted phishing and social‑engineering attacks, though the absence of credentials reduces immediate account‑takeover danger. From a regulatory standpoint, the incident triggers obligations under the UK GDPR to notify the Information Commissioner’s Office within 72 hours of discovery; Rituals’ prompt reporting suggests compliance with that timeline. The breach also highlights the value attackers place on loyalty‑program data, which can be used for identity‑theft or sold on underground markets even without financial details.

For individuals: - Treat any unexpected email or SMS requesting personal information as suspicious; verify the sender through official channels. - Consider enabling multi‑factor authentication on any online accounts that reuse the same email address. - Monitor financial statements and credit reports for signs of misuse.