Rituals data breach exposes customer information across Europe, company confirms

Rituals, an Amsterdam-based cosmetics retailer operating more than 1,500 stores worldwide, has confirmed a cyberattack that resulted in the theft of personal information belonging to customers enrolled in its MyRituals membership program.

The company said hackers gained unauthorized access to its systems and extracted customer data, including full names, addresses, phone numbers, email addresses, dates of birth and gender. Additional details such as account types and preferred store locations may also have been compromised. Rituals stated that passwords and payment information were not accessed.

The number of affected customers has not been disclosed. Notifications have been sent to impacted individuals across multiple European countries, indicating the breach extends beyond the Netherlands. The company reported the incident to the Dutch Data Protection Authority, known as the Autoriteit Persoonsgegevens.

Rituals said there is currently no evidence that the stolen data has been published online. The company is working with external cybersecurity specialists to monitor potential exposure on illicit online marketplaces. Customers have been urged to remain alert to phishing attempts, as attackers could use personal details to craft convincing fraudulent communications.

In a message to customers, Rituals said it has brought the situation under control and is continuing to assess the scope of the breach. The company issued an apology, acknowledging that the incident may cause concern among affected individuals.

Founded in 2000, Rituals is a global cosmetics and wellness brand with reported annual revenue of €2.4 billion in 2025. The company has previously faced incidents involving scammers impersonating its brand in promotional emails, though those cases were described as unrelated to the current breach.

The incident adds to a series of major cyberattacks affecting organizations in the Netherlands and across Europe in recent months. Telecom provider Odido disclosed a breach earlier this year involving 6.2 million current and former customers, while travel platform Booking.com and fitness chain Basic-Fit also reported unauthorized access to customer data. Healthcare software provider ChipSoft has confirmed separate incidents involving access to patient information.