Hackers broke into the membership database of Amsterdam-based cosmetics giant Rituals and downloaded customer records including full names, home addresses, phone numbers, email addresses, dates of birth, and gender data. The company has 41 million members in its My Rituals loyalty program. It won’t say how many were affected.
Rituals disclosed the breach on April 22 after discovering an “unauthorised download” of member data earlier in the month. Passwords and payment information were not accessed, the company said. No ransomware group has claimed responsibility, and Rituals says it hasn’t found the data published online — yet.
The company reported the incident to the Dutch Autoriteit Persoonsgegevens (AP) under GDPR’s 72-hour notification requirement and began notifying affected customers directly.
The Loyalty Program Problem
Rituals joins a long list of companies that learn the hard way what happens when you build a massive personal data repository and treat it as a marketing asset rather than a liability.
Loyalty programs are goldmines for attackers. Unlike payment databases, which are typically encrypted and heavily monitored, membership databases contain verified, accurate personal information that members voluntarily keep up to date. Names, addresses, birthdates, phone numbers — the exact data needed for identity theft, social engineering, and targeted phishing campaigns.
The combination of name, date of birth, and home address is what researchers call a “quasi-identifier.” Together, these fields can uniquely identify individuals and are commonly used in account recovery processes. Attackers who hold this combination don’t need your password — they can often reset it.
Rituals is warning members to watch for phishing emails that may use their stolen personal details to appear legitimate. That’s sound advice, but it puts the burden of vigilance back on the people whose data was supposed to be protected.
The Fourth Dutch Breach in Three Months
Rituals isn’t an isolated incident. It’s the fourth major data breach hitting a Dutch company since February:
- Odido (telecoms) — 6.2 million customers affected in February. Stolen data was dumped on the dark web after the company refused to pay ransom
- Booking.com — Reservation data breached in April
- Basic-Fit (fitness chain) — Up to 1 million European members impacted in April
- Rituals — 41-million-member database accessed in April
That’s an alarming concentration. The Netherlands has strong data protection authorities and GDPR enforcement — the Dutch AP processed over 25,000 breach notifications in 2024 alone. But regulation can only do so much when companies accumulate vast personal data stores without matching investment in security.
GDPR Notification Is Not GDPR Protection
Rituals followed the rules. They notified the Dutch AP within 72 hours. They’re contacting affected customers. They contained the breach. From a compliance checkbox perspective, they’re doing everything right.
But compliance with notification rules doesn’t undo the damage. Those 41 million records — however many were actually taken — are gone. The people in that database now face years of potential phishing attacks, identity fraud attempts, and social engineering campaigns. The data doesn’t expire.
The Dutch AP has the authority to investigate and fine, but its track record shows that enforcement tends to follow the largest, most egregious cases. A “we followed the process” response from Rituals may be enough to avoid significant penalties, even though millions of Europeans are now more vulnerable than they were a week ago.
Why This Matters
Every time you sign up for a loyalty program, you’re making a bet. You’re betting that the free shipping or birthday discount is worth handing over your name, address, birthdate, and contact details to a company that will store them indefinitely. You’re betting they’ll protect that data as carefully as you would.
Rituals is a premium brand with over a billion euros in annual revenue. If they can’t keep a membership database secure, the question isn’t whether your loyalty data is safe — it’s which loyalty program will be breached next.
The pattern across these Dutch breaches is consistent: large consumer-facing companies collecting far more personal data than they need, storing it longer than necessary, and discovering the cost of that decision only after attackers find a way in.
If you’re a Rituals member, change your password and watch for suspicious emails that reference your personal details. If you used the same password elsewhere, change those too.
More broadly, treat loyalty program sign-ups the way you’d treat any data-sharing decision: give the minimum information required, use a unique email address where possible, and remember that every field you fill in is another piece of data that could end up in someone else’s hands.