Leroy Merlin Customer Data Breach Exposes Personal Information in France
Executive Summary
In June 2024, French home improvement retailer Leroy Merlin disclosed a security incident impacting its French customer base. Attackers gained unauthorized access to customer accounts and personal data, including names, email addresses, physical addresses, phone numbers, and order histories. While no financial data or passwords were compromised, the company became aware of unusual activity and swiftly launched an internal investigation and incident response procedures. Affected users were notified and advised to remain vigilant against phishing attempts. The incident has triggered regulatory attention and widespread concern among customers.
The breach at Leroy Merlin highlights the increasing frequency of attacks targeting customer data in the retail sector. As organizations digitize more customer interactions, they face mounting regulatory pressure to safeguard personal information and promptly report security incidents to minimize reputational and financial risk.
Why This Matters Now
Customer data breaches continue to surge in frequency, and regulatory authorities are demanding rapid, transparent disclosures. With the retail sector handling vast amounts of personal data, this incident underscores the urgent need for comprehensive security measures, including robust traffic encryption and advanced anomaly detection, to prevent lateral movement and data exfiltration.
Attack Path Analysis
Attackers gained initial access, likely via exploitation of a misconfigured or vulnerable cloud service linked to customer data storage. Once inside, they escalated privileges to reach data storage systems. The adversaries then moved laterally within internal cloud environments to discover and access broader datasets. Command and control was maintained by covert outbound traffic to operate undetected. Exfiltration of sensitive customer records occurred through unauthorized data transfer out of the cloud. The impact was the compromise of personal customer data, resulting in regulatory notifications and reputational consequences.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited a cloud misconfiguration or vulnerable internet-exposed application to gain unauthorized access to resources containing customer data.
MITRE ATT&CK® Techniques
Valid Accounts
Exploit Public-Facing Application
Phishing
Account Discovery
Data from Local System
Automated Exfiltration
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
GDPR – Data Protection Principles and Security of Processing
Control ID: Articles 5 & 32
PCI DSS 4.0 – Implement Incident Response Procedures
Control ID: Requirement 12.10
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Procedures
Control ID: Section 500.03
CISA Zero Trust Maturity Model 2.0 – Continuous Authentication and Account Monitoring
Control ID: Identity Pillar - Detect Compromised Credentials
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 8
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
Direct impact as Leroy Merlin DIY retail breach exposes customer data vulnerabilities requiring enhanced segmentation, egress security, and encrypted traffic protection.
Consumer Goods
High risk from similar customer data exposure patterns, necessitating zero trust segmentation and threat detection capabilities for consumer-facing operations.
E-Learning
Elevated vulnerability due to extensive customer data collection requiring multicloud visibility, anomaly detection, and compliance with data protection regulations.
Consumer Services
Significant exposure risk from customer information breaches demanding comprehensive egress security, encrypted communications, and enhanced threat response capabilities.
Sources
- French DIY retail giant Leroy Merlin discloses a data breachhttps://www.bleepingcomputer.com/news/security/french-diy-retail-giant-leroy-merlin-discloses-a-data-breach/Verified
- Leroy Merlin France Loyalty Program Data Breach: December 2025 Security Incident Analysis and Technical Reporthttps://www.rescana.com/post/leroy-merlin-france-loyalty-program-data-breach-december-2025-security-incident-analysis-and-techniVerified
- FAQ Incident données clients | Leroy Merlinhttps://www.leroymerlin.fr/faq-incident-donnees-clients/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive zero trust segmentation, strong egress policy enforcement, robust east-west visibility, and inline threat detection would have limited unauthorized access, halted lateral movement, and blocked data exfiltration at multiple stages of the attack.
Control: Zero Trust Segmentation
Mitigation: Restricted attacker access to only explicitly permitted assets.
Control: Multicloud Visibility & Control
Mitigation: Rapid detection of abnormal permission escalations and privileged access.
Control: East-West Traffic Security
Mitigation: Detection and microsegmentation of unauthorized lateral movements.
Control: Threat Detection & Anomaly Response
Mitigation: Real-time alerting and quarantine of suspicious outbound traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unauthorized data flows to unapproved destinations.
Limited blast radius, minimized regulatory and business impact.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management
- Loyalty Program Management
- Marketing Communications
Estimated downtime: 2 days
Estimated loss: $500,000
Personal information of French customers, including full names, phone numbers, email addresses, postal addresses, dates of birth, and loyalty program details, was exposed. No banking data or account passwords were compromised.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy zero trust segmentation to enforce least-privilege access and restrict exposure of critical cloud assets.
- • Implement comprehensive east-west traffic monitoring and microsegmentation to rapidly detect and contain lateral movement.
- • Enforce granular egress controls to block unauthorized outbound data transfers and mitigate data exfiltration risk.
- • Leverage inline anomaly detection and centralized visibility for prompt detection of privileged misuse and suspicious command-and-control traffic.
- • Continuously review and harden IAM roles, permissions, and security policies as part of a proactive cloud security governance program.
