Rituals Cosmetics Hit by Data Breach in Latest Cyber Attack
Rituals Cosmetics confirmed a data breach in which personal data of loyalty members was unlawfully downloaded in April, the latest in a series of cyber attacks on Dutch companies.
Dutch cosmetics chain Rituals has become the latest in a growing line of Dutch companies to be hit by a data breach, after an unauthorised party downloaded the personal data of an undisclosed number of loyalty programme members. The company notified affected customers by email on Wednesday morning and says the situation is now under control.
Rentals in the Netherlands
Signaal tracks the Dutch rental market and notifies you the moment something matches your search. Be first to apply.
The breach was discovered in April 2026. After detecting the unauthorised access, Rituals immediately took action and blocked the entry point. The company's investigation confirmed that personal data of a portion of its members was involved in the incident.
The data that was accessed includes names, addresses, email addresses, dates of birth, gender, account type and preferred store. Passwords and payment details were not taken.
Rituals has not disclosed how many members were affected. When asked, the company said: "For security reasons, we are not making any statements about the number of members involved at this time."
What members should know
Rituals states that there is no direct action required from customers. However, the company is warning members to stay alert to phishing attempts, where criminals pose as a trusted organisation to try to obtain personal data or money.
The stolen data has not, as far as is known, been made publicly available. Rituals also stresses that this incident is separate from earlier phishing campaigns that circulated in its name, including fake birthday gift emails that targeted customers in previous years.
Investigation and security measures
Rituals has reported the breach to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and is working with external specialists to monitor whether the data surfaces elsewhere. Additional security measures have been put in place to prevent a recurrence. The company apologised to affected members and said it takes the protection of customer data seriously.
Part of a broader pattern
The Rituals breach is the latest in a series of data incidents affecting Dutch companies and organisations in recent months. In February, telecom provider Odido suffered the largest data breach in Dutch history, with the personal and financial data of 6.2 million customers stolen by hacker group ShinyHunters. Gym chain Basic-Fit reported a breach in April exposing the data of around 200,000 Dutch members. A class action was launched against Odido this week by privacy foundation Consumers United in Court.
