Rituals breach exposes member data from 41M-strong loyalty database

Dutch cosmetics retailer Rituals confirmed that an attacker exfiltrated personal records from its My Rituals loyalty program database earlier this month. Exposed fields include full name, email, phone number, date of birth, gender, and home address. Passwords and payment data were not accessed, and the company says it cut off the intruder’s access once the unauthorized downloads were detected.

Rituals has not disclosed how many of the program’s 41 million members were affected, nor the attack vector or threat actor. A forensic investigation is underway, and regulators have been notified. Affected customers, including some in the US, were contacted directly, though the company is withholding attribution details.

The incident continues the pattern of loyalty and membership databases as soft targets: rich in marketing-grade PII, often less hardened than payment systems, and lucrative for phishing and identity-abuse downstream even without card data. For a retailer pulling €2.4 billion in 2025 revenue across 33 countries, the regulatory exposure under GDPR and state-level US breach laws is the more immediate tail risk.