"The personal data involved (to the extent you have shared it with us) may include full name, email address, phone number, date of birth, gender, home address. We can confirm that no passwords or payment information were accessed," Rituals said.
Rituals' disclosure and immediate containment
Dutch cosmetics company Rituals disclosed a security incident this week after it was alerted to unauthorized downloads from its "My Rituals" membership database. According to the company's Wednesday notice, the breach was discovered earlier this month. Rituals said it has contained the incident by blocking the attackers' access and has notified relevant authorities.
What data the company says was taken
Rituals described the scope of personal information taken from its loyalty database in its statement. The company listed full name, email address, phone number, date of birth, gender and home address as the personal data that "may" have been involved, while explicitly confirming that no passwords or payment information were accessed.
Scale, notifications and public reporting
Rituals did not disclose how many customers were affected. The company noted its My Rituals loyalty programme has over 41 million members worldwide, but did not link that figure directly to the number of records taken. TechCrunch, which first reported the incident, said Rituals notified some customers in the United States. Rituals told BleepingComputer it has informed affected customers directly and has reported the incident to the relevant authorities.
Investigation status and unanswered technical questions
Rituals said it has initiated an in-depth forensic investigation to determine how the breach occurred and to identify measures to prevent a recurrence. The company has not disclosed the technical nature of the attack, has not provided attribution to any threat actor, and said it has yet to find evidence that the stolen information has been leaked online. A company spokesperson told BleepingComputer that for security reasons Rituals would not provide further details on attribution or on any potential communications with the unauthorised party. No cybercrime groups or other threat actors have claimed responsibility in public reporting tied to this disclosure.
What this means for My Rituals members, regulators, and security teams
- My Rituals members: Rituals says it has informed affected customers directly; members who receive notices will need to watch for communications from the company about next steps and be alert for unsolicited contact tied to personal details listed in the company statement.
- Regulators and authorities: Rituals has notified "relevant authorities" and reported the incident; those bodies will have the company’s report and any forensic findings Rituals shares as the investigation proceeds.
- Security teams and investigators: Rituals has launched an in-depth forensic probe and blocked the attackers’ access; security teams involved will be focused on determining the attack vector, confirming whether data was exfiltrated beyond the downloads detected, and verifying the absence of an online leak.
Rituals provided the disclosure against a backdrop of company growth: the business was founded in 2000 in Amsterdam, reported €2.4 billion in revenue in 2025, employs over 12,000 people worldwide and operates more than 1,400 retail boutiques and just over 4,800 luxury perfumeries and department stores across 33 countries. The company’s public statements so far emphasize containment, notification and a forensic review, while leaving open the central technical questions of how the downloads occurred, how many individual records were taken, and whether the data will appear in public leak sites or elsewhere.
Original reporting: BleepingComputer — Cosmetics giant Rituals discloses data breach affecting customers
