French home improvement and DIY retail giant Leroy Merlin has notified customers that their personal information has been compromised in a recent data breach. The company confirmed that its information system was targeted by a cyberattack, allowing unauthorized parties to potentially extract customer data.
The incident affects only customers in France and exposed the following data types:
full name
phone number
email address
postal address
date of birth
loyalty program–related information
The company clarified that banking data and account passwords were not compromised. Additionally, according to its statement, the stolen information has not yet been used maliciously — it has not been leaked online, published, or used for extortion attempts.
Upon detecting the incident, Leroy Merlin blocked unauthorized access and took containment measures to secure its systems.
Leroy Merlin is one of Europe’s largest DIY retail networks, operating across multiple EU countries, as well as Brazil and South Africa. The company employs 165,000 people and generates nearly $10 billion in annual revenue.
Despite the company’s size, no ransomware group has claimed responsibility at the time of writing, and no evidence has emerged of the data being published or sold. Affected customers were provided guidance on identifying phishing attempts and monitoring unusual account activity.
Although financial credentials and passwords were not exposed, the breach serves as an important reminder that even major global retailers remain vulnerable to cyberattacks. Leroy Merlin urges customers to stay alert to unsolicited messages or suspicious contact attempts, as compromised information may be exploited for phishing or social engineering.
