🗄️ Assets

Rituals Cosmetics Discloses Data Breach — Up to 40 Million My Rituals Members' PII Potentially Exposed

Amsterdam-based luxury cosmetics brand Rituals has disclosed a breach of its My Rituals membership platform affecting potentially up to 40 million registered members across its 1,170-plus retail locations in 37 countries. Exposed data includes names, contact details, date of birth, gender, and purchase history. The breach carries significant GDPR obligations as Rituals is headquartered in the EU.

4 min read
#breach#gdpr#retail#pii#membership-data#eu-data-protection

Rituals Cosmetics, the Dutch luxury personal care brand operating over 1,170 stores across Europe, Asia, and North America, has disclosed a breach of the My Rituals customer loyalty and e-commerce platform. The company’s breach notification indicates that an unauthorised party gained access to the membership database, potentially exposing records for up to 40 million registered members.

The breach was identified by Rituals’ security team following anomalous database query patterns detected by its monitoring infrastructure. The company states it took immediate steps to contain the incident and has engaged a forensic investigation firm. No ransomware group has claimed responsibility at time of publication.

Scope of Exposed Data

Rituals’ notification to affected customers and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) describes the following potentially compromised data categories:

  • Full name and contact address
  • Email address and mobile phone number
  • Date of birth and gender
  • My Rituals membership tier and membership number
  • Purchase history (product names, purchase dates, store or online channel)
  • Saved payment method indicators (last four digits only — full payment card data is stored in a separate PCI-scoped environment and is not believed to be exposed)

The company states that account passwords were stored as bcrypt hashes with per-user salts, and that authentication credentials are not considered usefully compromised.

GDPR Obligations and Timeline

Rituals is headquartered in Amsterdam and processes personal data of EU residents as both a data controller (for EU members) and under data transfer agreements (for members in Asia and North America). This creates layered regulatory obligations:

GDPR Article 33: Rituals was required to notify the Dutch DPA within 72 hours of becoming aware of the breach. The company’s notification indicates it met this deadline. The Dutch DPA, as lead supervisory authority under the one-stop-shop mechanism, will coordinate with data protection authorities in other EU member states where Rituals operates.

GDPR Article 34: Given that the breach involves personal data including date of birth and purchase history at scale, notification to affected individuals is required “without undue delay.” Rituals has stated it will send individual notifications by email within five business days.

Potential fines: Under GDPR Article 83(4) and (5), administrative fines for breaches can reach €20 million or 4% of global annual turnover — Rituals’ annual revenue is estimated at €700 million+, placing maximum exposure in the vicinity of €28 million. Actual enforcement will depend on the DPA’s assessment of security measures and response adequacy.

UK Data Breach

For members who joined My Rituals through UK retail channels (Rituals operates 130+ stores in the UK), the UK GDPR and Data Protection Act 2018 govern notification. The Information Commissioner’s Office (ICO) requires notification within 72 hours of becoming aware of a breach affecting UK residents, and Rituals has confirmed it notified the ICO within the required window.

Phishing Risk for Affected Members

Members should be aware that breach data including purchase history and membership details enables highly targeted phishing. Fraudulent emails claiming to be from Rituals offering loyalty point reimbursements, exclusive offers, or security remediation are a predictable follow-on from this type of consumer loyalty database breach. Genuine Rituals communications will not request password changes via email link or ask for payment information.

Takeaways for Retail Security Practitioners

  • Loyalty programme databases are high-value targets — they combine broad PII coverage with purchase history that enables social engineering at scale. Security investment in these platforms should reflect their data sensitivity.
  • bcrypt password hashing is table stakes, not a differentiator — Rituals’ statement that passwords were bcrypt-hashed is accurate but should be the baseline, not the headline. Security teams should assess what else is in the database, not just whether passwords are recoverable.
  • PCI scope separation is working as intended — the separation of payment card data from the membership database prevented the breach from extending to card credentials. This architecture pattern is worth preserving under pressure to unify customer data platforms.

Share this article