French retailer Leroy Merlin, a major player in home improvement and gardening with operations across Europe, South Africa, and Brazil, recently experienced a cyberattack targeting its information system. The company, which employs 165,000 people and brings in an annual revenue of $9.9 billion, has confirmed that the incident has compromised the personal data of its customers in France. The breach was confirmed via a notification the company sent to affected individuals, as circulated on social media, indicating that certain customer information may have leaked outside the company’s control.
The specific types of personal information exposed in the breach include customers’ full name, phone number, email address, postal address, date of birth, and loyalty program-related information. Crucially, the company has clarified that banking data and online account passwords were not included in the compromised information set. The notification assured customers that immediately upon detection, all necessary measures were taken to block unauthorized access and contain the security incident to prevent further leakage.
The company’s notice further suggested that the stolen data has not yet been used maliciously, implying it has not appeared online or been leveraged for extortion purposes. Despite this, Leroy Merlin urged all affected customers to remain vigilant regarding unsolicited communications, especially those that appear to impersonate the brand. The notification provided customers with practical guidance on how to identify potential phishing messages, ensuring they are prepared to defend against social engineering attacks.
In addition to being watchful for phishing, customers were instructed to report any detected anomalies in their account activity or any issues they might experience with redeeming their loyalty discounts directly to the company. This measure aims to quickly identify and address any malicious use of the stolen loyalty program information. The overall goal of the notification is to inform customers transparently while providing actionable steps for their protection.
While BleepingComputer was able to confirm the authenticity of the customer notification, the company has not yet provided further details regarding the number of affected customers or the full scope of the attack. As of the time of reporting, there have been no public claims of responsibility from any known ransomware or hacking group regarding the cyberattack on Leroy Merlin. The investigation into the incident is ongoing as the company works to solidify its security and fully assess the impact.
Reference:
