Luxury Meets Liability: The Harrods Vendor Breach
Weekly Threat Analysis (Sep 24 – Oct 1, 2025)
Source: Trescudo Intelligence • Author: Evangeline Smith, MarCom • September 30, 2025
Executive summary
Edge devices under active attack. CISA issued an Emergency Directive for multiple Cisco ASA/FTD zero-days exploited at scale (linked to prior “ArcaneDoor” activity). Patch/forensic timelines are aggressive. (CISA)
Retail supply-chain breach: Harrods disclosed a third-party compromise affecting ~430k customer records (names/contact data; no passwords/cards), underscoring vendor risk. (AP News)
Aviation follow-ups: After the Collins Aerospace MUSE ransomware incident, recovery continued through the week; UK police arrested a suspect; ops at affected EU hubs improved but knock-ons persisted. WestJet also disclosed a separate breach (no payments). (Reuters)
Browser zero-day remains hot: Chrome CVE-2025-10585 (V8 type confusion) remains on CISA KEV; keep Chrome 140+ enforced. (CISA)
Macro trend: ENISA’s 2025 Threat Landscape (released today) flags tool/technique reuse across groups and continued focus on EU essential services. (ENISA)
Defender note: Google announced Drive AI ransomware detection (open beta) that pauses sync on suspected encryption—worth testing in pilot tenants. (The Verge)
Notable incidents & developments
1) Zero-days on Cisco edge (urgent)
CISA ED 25-03 demands federal agencies identify, hunt, and patch ASA/FTD devices (CVE-2025-20333/-20362; 20363 at high risk). Partners attribute activity to sophisticated, likely state-sponsored actors. Deadlines begin this week. (CISA)
Cisco’s advisory confirms exploitation of the VPN web server components; guidance includes software updates and compromise assessment steps. (Cisco)
Why it matters: Perimeter devices with web VPN exposed remain prime ingress; some campaigns show firmware/ROM persistence tactics. Treat as a potential domain-wide incident, not just a patch job. (TechRadar)
2) Harrods third-party breach (~430k records)
Harrods notified customers after a supplier compromise leaked contact/marketing data; company says no passwords/payment data implicated; investigation ongoing. (AP News)
Technical press pegs the count around 430,000; the retailer refused to engage with threat actors. (BleepingComputer)
Why it matters: Classic downstream vendor breach—reinforces data minimization, supplier IR SLAs, and segregated marketing stacks.
3) Aviation: ransomware fallout & fresh disclosure
Collins Aerospace (MUSE): ransomware disrupted EU check-in/boarding; restoration continued into the week; suspect arrested in the UK. (Reuters)
WestJet: disclosed a June breach (names, contact, travel docs; no card data) attributed to a “sophisticated, criminal third party.” (Reuters)
Why it matters: Passenger-processing concentration risk + multi-supplier dependencies = systemic operational exposure.
4) Chrome zero-day (CVE-2025-10585) still active
CISA added the bug to KEV; enterprises should pin Chrome ≥140 and verify coverage in VDI/kiosk pools. (CISA)
5) Strategic landscape & defender tools
ENISA Threat Landscape 2025 highlights convergent tradecraft and collaboration among threat groups targeting EU digital infrastructure. (ENISA)
Google Drive added AI ransomware detection (open beta) to halt suspicious mass-encryption by pausing sync and offering version restore. (The Verge)
AT&T breach settlements (older incidents) moved forward; claims window may drive customer queries and phishing lures. (Investopedia)
Sector lens (EU/UK focus)
Aviation/transport: Review vendor fallbacks (manual check-in, bag tags, offline boarding pass), and supplier war-room procedures; cross-check for exposure to Cisco ASA/FTD bugs at airport/airline/handler perimeters. (Reuters)
Retail/e-commerce: Tighten martech/vendor access, enforce MFA + IP allow-listing, and rotate API keys/tokens stored with suppliers. Harrods shows marketing-data exposure can still trigger regulatory & reputational risk. (AP News)
Healthcare: Continue hardening against ransomware and identity compromise; watch for Chrome zero-day coverage on clinical workstations and kiosks.
What to do this week (priority actions)
Cisco ASA/FTD: Identify all internet-facing devices; patch or mitigate immediately, run forensic checks per Cisco/CISA, and rotate credentials seen on the device. Document by site and asset owner. (CISA)
Browser fleet: Enforce Chrome 140+ across endpoints/VDI/kiosks; confirm via device compliance reports. (CISA)
Vendor exposure review: For any partner handling customer contact data or check-in/booking, validate IR SLAs, breach comms templates, and data minimization. (AP News)
Resilience drills (aviation): Rehearse manual throughput for check-in/boarding; verify paper stock, offline printing, and queue comms. (Reuters)
Ransomware defenses: Test restore from last backups (immutable copy), and consider piloting Google Drive ransomware detection where appropriate. (The Verge)
Quick intel to share internally (copy/paste)
Cisco zero-days: CVE-2025-20333/-20362 (ASA/FTD) exploited; CISA ED-25-03 mandates rapid action.
Harrods breach: ~430k contact records via supplier; retail vendor risk front-and-center.
Aviation: Collins MUSE ransomware fallout continues; WestJet breach disclosed (no cards).
Chrome: CVE-2025-10585 in KEV; ensure Chrome ≥140 enterprise-wide.
Trend: ENISA flags converging TTPs against EU critical sectors.