Date of Incident:
2023

Overview:

In 2023, Leroy Merlin, a company in the retail sector, experienced a data breach resulting in the exposure of customers’ personal information, including full names, phone numbers, email addresses, postal addresses, birth dates, and loyalty program details. There was no evidence of banking data or passwords being compromised, and no malicious use or public leaks have been reported so far. The breach involved unauthorized access via a web application vulnerability, followed by data exfiltration through sophisticated techniques. While unusual activity was detected in logs, no ransomware or malware was found. The incident was reported in December 2025.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Exposure of customers’ personal data including full name, phone number, email address, postal address, date of birth, and loyalty program-related information. No banking data or passwords leaked. No evidence of malicious use or public leaks of the stolen data yet.

Details:

The Leroy Merlin data breach disclosed in 2023 involved unauthorized access exposing customers’ personal data such as full names, phone numbers, email addresses, postal addresses, dates of birth, and loyalty program information. There was no evidence of banking data or passwords being compromised or malicious exploitation observed. Technical details include indicators of compromise (IOCs) comprising unauthorized API calls traced in server access logs, suspicious outbound traffic to unknown IP addresses linked to data exfiltration techniques aligned with MITRE ATT&CK T1041 (Exfiltration Over C2 Channel). The attack demonstrated initial access through a breached web application vulnerability (T1190 Exploit Public-Facing Application), followed by internal reconnaissance (T1083) and credential access attempts without success. Proof-of-concept code behavior involved the use of automated scripts designed to scrape database entries exposing personal customer records. Log artifacts revealed anomalies in authentication logs, unusual query patterns, and error messages related to database access errors. No ransomware or malware payload was found, and no publicly posted samples have been identified yet.

Remediation:

The remediation guidance from vendor and security advisories included patching all web-facing applications for known vulnerabilities, enforcing multi-factor authentication (MFA) for access to sensitive data, implementing stringent network segmentation, and enhancing monitoring of data exfiltration indicators. Temporary mitigations advised included immediate rotating of access credentials and comprehensive audit logging enabled for critical systems. Known workarounds involved rate limiting API requests and deploying Web Application Firewalls (WAFs) to block suspicious traffic patterns.

Takeaway for CISO:

The breach impacted customer trust by exposing sensitive personal data and loyalty program information. Despite no evidence of direct financial data leakage, CISOs must prioritize holistic application security hygiene, continuous vulnerability assessments, and robust incident detection capabilities. A strategic takeaway is the reinforcement of layered defenses around public-facing services and rapid detection-response workflows to mitigate similar data exfiltration risks in retail environments.