Rituals confirms data breach: Customer membership records compromised

Dutch cosmetics giant Rituals has confirmed a Rituals data breach that exposed personal details of its loyalty program members. The company revealed the incident in an email sent to affected customers, which TechCrunch reviewed and verified. Hackers managed to steal a large volume of data from the company’s membership database, raising concerns about privacy and security for millions of users.

What data was stolen in the Rituals data breach?

The stolen records include a range of personal identifiers: full name, date of birth, gender, postal address, email address, phone number, preferred store, and account type. Rituals spokesperson Eline van Malssen confirmed that the breach affected customers across Europe and the United Kingdom. However, TechCrunch learned that some U.S. customers also received notifications, indicating a broader impact than initially stated.

This incident is part of a worrying trend. Over the past year, several major retailers have suffered similar intrusions. For example, UK grocery chain Co-op and clothing retailer Marks & Spencer both reported customer data theft. Cybercriminals often target membership databases because they contain valuable personal information that can be used for identity theft, phishing, or extortion.

How did the Rituals cyberattack happen?

Rituals stated that it identified an “unauthorized download” of member data in April. The company did not disclose the exact method used by the attackers, nor did it provide a precise timeline. When asked about ransom demands or communication from the hackers, the spokesperson declined to comment, citing “security reasons.” This lack of transparency has frustrated some customers, who are demanding more details about the breach and how the company plans to prevent future incidents.

Building on this, cybersecurity experts emphasize that prompt disclosure is critical. Companies that delay or withhold information risk losing customer trust. For instance, a ransomware attack on a retail chain can lead to reputational damage and regulatory fines. Rituals has not yet confirmed whether it received a ransom note or if the stolen data has been published online.

Who is affected by the Rituals data leak?

According to Rituals’ website, its membership program boasts over 41 million customers. The company generated €2.4 billion ($2.8 billion) in revenue in 2025, making it a significant player in the global cosmetics market. The breach affects members in Europe, the UK, and the US, though the exact number of impacted individuals remains unclear.

As a result, affected customers should be vigilant. Personal data like birth dates and addresses can be used to create convincing phishing emails or social engineering attacks. Rituals has advised members to monitor their accounts for suspicious activity and to reset their passwords. For more guidance, check out our tips on protecting personal data after a breach.

Steps Rituals is taking

The company says its investigation is ongoing. It has not shared details about enhanced security measures, but typical responses include implementing multi-factor authentication, conducting penetration testing, and hiring external cybersecurity firms. Customers expect a clear action plan, including credit monitoring services or identity theft protection.

What this means for the cosmetics industry

This Rituals data breach underscores the vulnerability of loyalty programs across the beauty sector. Many companies collect vast amounts of personal data to personalize marketing and improve customer experience. However, this data becomes a lucrative target for cybercriminals. Retailers must balance personalization with robust security protocols.

Furthermore, regulators are paying attention. Under GDPR, companies face fines of up to 4% of annual global turnover for failing to protect customer data. For Rituals, that could amount to nearly €96 million. The breach may also trigger class-action lawsuits, as seen in other high-profile cases. Learn more about GDPR compliance for retailers to understand the legal landscape.

In conclusion, the Rituals data breach serves as a stark reminder that no company is immune to cyber threats. Customers should take proactive steps to safeguard their information, while businesses must invest in stronger defenses. As the investigation unfolds, more details may emerge about the attackers’ motives and methods.