Netherlands-based cosmetics giant Rituals has confirmed a data breach affecting customers across Europe, the United Kingdom, and the United States after attackers performed an "unauthorized download" of records from its membership database in April 2026. The company, which operates a loyalty program of more than 41 million customers and reported €2.4 billion ($2.8 billion) in 2025 revenue, disclosed the incident in direct emails to affected members and on its FAQ page.

What Happened

Rituals identified an unauthorized download of members' personal data in April 2026 and began notifying impacted customers this week. The company initially described the exposure as affecting European and U.K. members, but later confirmed to TechCrunch that some U.S. customers are also among those notified. Rituals has declined to disclose the exact number of affected members, the precise timeline of the intrusion, the attack vector, or whether the company has received any extortion communication from the threat actor, citing unspecified "security reasons." The investigation into how the breach occurred remains ongoing.

What Was Taken

According to Rituals' own disclosure, the stolen records contain a substantial set of personally identifiable information for each affected member:

Payment card data and account passwords were not listed among the exposed fields. With Rituals' membership program spanning more than 41 million customers globally, the upper bound of potential exposure is significant even if the actual breached subset is smaller. The combination of name, date of birth, address, phone, and email constitutes a complete identity profile suitable for high-fidelity phishing, account takeover, and synthetic identity fraud.

Why It Matters

Rituals joins a growing roster of European retailers whose loyalty and membership databases have been pillaged for extortion leverage. In the past year, U.K. grocery chain Co-op confirmed the theft of all 6.5 million of its customer records, and Marks & Spencer suffered a major cybersecurity incident affecting customer-facing operations. The pattern is consistent: high-volume consumer retailers with mature loyalty programs sit on enormous PII repositories that are loosely segmented from broader corporate networks and rarely treated with the same rigor as payment data. Threat actors have learned that membership databases offer ransom leverage without the regulatory and forensic scrutiny that follows a payment card compromise, making them an attractive softer target.

The Attack Technique

Rituals has not publicly described the attack vector, and its spokesperson declined to elaborate citing security reasons. The company's framing of the incident as an "unauthorized download" is consistent with prior intrusions in this retail wave, which have typically involved either credential-based access to a database or third-party platform, exploitation of an internet-facing application, or compromise of a vendor with database privileges. The lack of disclosure on extortion contact, combined with the data set's clear ransom value, leaves open the possibility that a financially motivated actor is currently negotiating with Rituals or preparing to leak the data. Defenders should treat this as an active intrusion of unknown root cause until Rituals publishes more detail.

What Organizations Should Do

  1. Audit loyalty and CRM database access paths. Inventory every service account, API integration, and third-party platform with read access to membership data, and revoke anything not actively required.
  2. Enforce MFA on all administrative access to customer databases, including SSO consoles, cloud storage buckets housing exports, and any BI or marketing platforms that ingest member records.
  3. Detect bulk data egress. Implement DLP and database activity monitoring rules that alert on large row-count exports, off-hours queries, and any data movement to unsanctioned destinations.
  4. Segment marketing and loyalty environments from production retail systems, and ensure that a compromise of a marketing platform does not cascade into the broader customer database.
  5. Prepare customer notification and counter-phishing playbooks. Rituals members should now expect highly targeted scams using their real names, addresses, and store preferences; brand protection teams should monitor for lookalike domains and impersonation campaigns.
  6. Reassess third-party risk for retail SaaS vendors. Recent retail intrusions have repeatedly traced back to outsourced helpdesks, marketing platforms, and identity providers; revisit vendor security attestations and pen test results for anything touching member PII.

Sources: Cosmetics giant Rituals confirms data breach of customer membership records | TechCrunch