Rituals Data Breach Explained: Hack Matches Odido Scale | Cybersecurity Guide

What is the Rituals Data Breach?

The Dutch cosmetics giant Rituals has confirmed a major data breach affecting millions of customer records across Europe, with cybersecurity experts warning the hack is 'of the same scale as the Odido breach' that impacted 6.2 million people earlier this year. The Rituals data breach, discovered in April 2026, involved unauthorized downloading of sensitive customer information from the company's MyRituals membership database, which contains over 41 million customer records globally.

Understanding the Scale of the Rituals Hack

Rituals CEO Raymond Cloosterman described the breach as affecting a 'considerable number' of customers, while cybersecurity expert Jort Kollerie of Orange Cyberdefense warned that the multinational scope suggests the incident involves millions of records. 'That it concerns 33 countries where Rituals is active, that is quite a lot,' Kollerie stated. 'When you look at how much data is involved, that concerns individuals. I think it runs into the millions, just like with the Odido hack.'

The company operates in 33 countries with 1,500 stores worldwide and reported €2.4 billion in revenue for 2025. The breach notifications appearing simultaneously on Rituals' Dutch, Belgian, English, French, and German websites indicate the attack's international scope, affecting customers across Europe, the United Kingdom, and some in the United States.

What Data Was Stolen?

According to Rituals' notification to affected customers, hackers accessed and downloaded:

• Full names and addresses
• Telephone numbers and email addresses
• Dates of birth and gender information
• Preferred store locations
• Account type information

The company emphasized that no passwords or payment details were compromised, but cybersecurity experts warn that the stolen personal information alone creates significant risks for identity theft and phishing attacks.

Comparison with the Odido Breach

The Odido breach, which affected approximately one-third of the Netherlands' population, resulted in stolen data including bank account numbers and government ID details being published on the dark web after the company refused to pay ransom demands. A mass claim lawsuit against Odido has been launched by consumer group Consumers United in Court (CUIC), seeking damages and setting GDPR compliance precedents.

Company Response and Regulatory Implications

Rituals says it took immediate measures after discovering the hack, blocking access to the data and implementing additional security measures to prevent recurrence. The company has reported the incident to the Dutch data protection authority, Autoriteit Persoonsgegevens (AP), as required under GDPR regulations.

Under GDPR, companies can face fines of up to €20 million or 4% of global annual turnover for data protection violations. The AP has previously imposed significant penalties, including a record €290 million fine against Uber in 2024 for improper international data transfers. Rituals' €2.4 billion revenue in 2025 means potential fines could reach €96 million if regulators determine the company failed to implement adequate security measures.

Steps Taken by Rituals

1. Immediate blocking of unauthorized access to customer data
2. Notification of affected customers across multiple countries
3. Reporting to Dutch privacy watchdog AP
4. Implementation of additional security measures
5. Monitoring dark web for stolen data appearance

Impact on Customers and Cybersecurity Risks

While Rituals claims the stolen data hasn't been publicly released, cybersecurity experts warn that customers face significant risks:

• Phishing attacks: Criminals can use stolen personal information to create convincing fraudulent emails
• Identity theft: Comprehensive personal data enables sophisticated identity fraud
• Targeted scams: Knowledge of preferred stores and purchase history allows personalized scams
• Combined data risks: When combined with other breached data, creates comprehensive profiles

This marks the fourth major Dutch cyber attack in three months, following breaches at telecom firm Odido, Booking.com data security incident, and fitness chain Basic-Fit affecting up to 1 million European members.

Frequently Asked Questions

What should Rituals customers do now?

Affected customers should monitor their email and bank accounts for suspicious activity, be cautious of phishing attempts, consider changing passwords on other accounts using similar credentials, and enable two-factor authentication where available.

How does this compare to other retail data breaches?

The Rituals breach follows similar incidents at UK retailers Co-op and Marks & Spencer, highlighting growing cybersecurity challenges for consumer brands with membership-based business models that create concentrated data repositories attractive to cybercriminals.

What are the legal implications for Rituals?

Rituals faces potential GDPR fines from Dutch authorities, possible class action lawsuits similar to the Odido case, and reputational damage that could impact customer trust and future membership growth.

Was payment information compromised?

Rituals confirms no payment details or passwords were accessed in the breach, though the stolen personal information alone creates significant security risks for affected customers.

How many customers are affected?

While Rituals hasn't disclosed exact numbers, cybersecurity experts estimate the breach affects millions of customers across the company's 33-country operational footprint.

Sources

TechCrunch: Rituals Data Breach Confirmation
Dutch News: Rituals Cyber Attack Coverage
Autoriteit Persoonsgegevens: GDPR Fines Information
CyberNews: Odido Class Action Lawsuit Details