Cosmetics Giant Rituals Confirms Data Breach of Customer Membership Records

What happened

Netherlands-based cosmetics retailer Rituals has confirmed a data breach affecting customers’ personal information after hackers stole data from its membership database. The company disclosed the breach on Wednesday via email to affected customers.

Rituals said it identified an unauthorized download of members’ data in April containing customers’ full names, dates of birth, gender, postal and email addresses, phone numbers, preferred store locations, and account types. A company spokesperson confirmed the stolen data covers members in Europe and the United Kingdom, and subsequently confirmed the incident also affects some US customers after TechCrunch identified US-based customers among those notified.

Rituals has not described the nature of the attack, has not confirmed whether it received any communication from the hackers, and has declined to provide the exact number of affected members, citing security reasons. Its investigation is ongoing. The company has over 41 million customers in its membership database and reported €2.4 billion in revenue in 2025.

The breach follows a string of recent intrusions targeting UK and European retailers, including Co-op and Marks & Spencer, in which customer membership records were stolen and used as leverage for extortion.

Who is affected

Rituals members across Europe, the United Kingdom, and the United States face exposure of personal information including contact details, date of birth, gender, and account data. With over 41 million members in the database, the potential scope is substantial, though the exact number of affected individuals has not been disclosed.

Why CISOs should care

Rituals is the latest in a pattern of retail membership database breaches that appears to be accelerating. Co-op, Marks & Spencer, and now Rituals have all had customer records targeted within a short window. Membership databases are attractive targets precisely because they combine verified personal information with contact details, making the stolen data immediately useful for phishing, identity fraud, and extortion.

The refusal to confirm whether a ransom demand was received is a familiar response posture, but it leaves affected customers and security professionals without a clear picture of whether the data has been published or is still being held as leverage.

3 practical actions

1. Audit access controls on customer membership and loyalty databases: These databases are becoming a primary target category for retail-sector attacks. Review who can query, export, or bulk-download membership records and ensure those capabilities are restricted, logged, and monitored for anomalous activity.
2. Treat retail sector breach patterns as a current threat signal: The clustering of membership database breaches across Co-op, Marks & Spencer, and Rituals in a short timeframe suggests an active targeting campaign or shared tooling. Retailers and organizations with similar membership infrastructure should treat this pattern as a live threat, not isolated incidents.
3. Prepare customer notification workflows before a breach occurs: Rituals notified customers via email but declined to provide key details citing security reasons. Having pre-approved notification templates, legal sign-off processes, and regulatory notification timelines ready in advance reduces the pressure on communications teams during an active investigation.