The Harrods Breach. Why Silence is the Wrong Strategy

The news that luxury department store Harrods has suffered a significant IT breach, resulting in the theft of data relating to 430,000 customer records, is a sober reminder that no business, regardless of size or reputation, is immune to cyber threats. The fact that the data was taken from a third-party provider merely highlights the inherent supply chain risk we all face.

Harrods confirmed that the affected data was limited to basic customer information, explicitly stating that no passwords or payment details were compromised. Crucially, however, the store followed up with a hardline public stance: they “would not engage with the ‘threat actor’.”

As a professional ransomware and extortion negotiator, I was genuinely surprised to read this statement. In my experience, and against the conventional wisdom I counsel my clients on, making a firm public declaration of non-engagement this early in the process is a mistake.

While the decision not to pay the ransom is often a valid and understandable one—especially given the nature of the stolen data (no PII, no payment details)—refusing to even open a dialogue runs contrary to best practice.

What’s Behind the Harrods Decision?

When I see a company take such an uncompromising stance so quickly, I immediately consider the possible reasons. It’s rarely a simple, singular decision and outsiders should not be quick to judge that decision. Let’s take a look at some possible reasons.

1.Arrogance from the Store: In some high-profile cases, executive leadership can believe their brand strength or legal position is sufficient insulation against criminal action, leading them to underestimate the importance of communication with ransomware gangs.

2. Misunderstanding the Importance of Dialogue: Engagement isn’t payment. Companies sometimes fail to grasp that opening communications is a vital intelligence-gathering exercise, not an immediate surrender.

3. Advice from Police or Incident Response Teams (IR): It is possible the police or supporting IR firms advised a complete shutdown of communication. While this is sometimes the right move, it often hinders a comprehensive response by cutting off the only line to the perpetrator.

4. Miscommunication to the Media: The company may have failed to clearly distinguish between not paying and not engaging. Their intended message might have been “we will not pay,” but the public statement became “we will not talk.”

5. A Stalling Strategy: On the tactical side, a declaration of non-engagement can sometimes be a clever, albeit risky, stalling tactic designed to buy time for forensic analysis and system hardening while the threat actor waits for a response that will never come.

Dialogue is Due Diligence

Regardless of the reason, the core of my professional experience and opinion remains: companies who have been subjected to a ransomware or extortion attack should always use a trained individual to engage with the threat actors. The benefits are always greater than the negatives, when considering negotiation.

Why?

• Intelligence Gathering: Talking to the hackers provides crucial intelligence. You can confirm the scope of the breach, the specific data held, the hacker’s motivation, and their level of technical sophistication. This intelligence directly informs your technical remediation efforts and legal exposure assessment.

• Proof of Deletion (Even for Basic Data): Even if the data is “basic,” you still have a duty to your customers to prevent its publication. Dialogue gives you the option to demand ‘proof of life’ to fully establish what data is threatened. Most criminals do not delete the data they have stolen, but demanding it’s deletion or an alternative arrangement should still be requested, even if no money changes hands.

• Establishing Parameters: A negotiation firm can establish a secure, anonymous, and professional channel to manage the situation, They are used to dealing with criminal gangs and it ensures no internal company personnel, accidentally reveal critical information under duress. Ransomware negotiating is a specialist skill and it should never make a situation worse when conducted properly.

Refusing to engage with the threat actors turns the incident response into a purely internal, technical problem. By contrast, engagement brings the external, human element of the conflict into a controlled, professional environment. Harrods’ decision is a bold one, but when dealing with professional cybercriminals, relying on silent hope is seldom a strategy for success. The door to communication should always be opened, if only to gather the intelligence needed to confidently slam it shut later.

It will be interesting to see if this decision not to engage with the attackers changes in the near future.