What happened
French home improvement retailer Leroy Merlin reported a data breach after an unauthorized party accessed a third-party system that stored customer information. The company said the exposed data did not include payment details.
Who is affected
Customers in France who used specific Leroy Merlin online services are impacted. The company is notifying affected individuals and coordinating with authorities.
Why CISOs should care
The incident shows the ongoing risk tied to third-party vendors that handle sensitive data. Even large retail companies face exposure when external partners lack strong controls. CISOs need clear oversight of how vendors store and secure customer information.
3 practical actions
-
Review vendor access and data handling policies to confirm they meet internal security requirements.
-
Audit third-party systems that store customer or operational data and enforce least privilege.
-
Update incident response plans to cover fast collaboration with vendors during breaches.