Cyrillus data leak detected via a third-party provider
French family-clothing retailer Cyrillus reported a customer data leak originating from one of its third-party providers, detected on 13 February 2026 and confirmed from publicly disclosed elements; the full number of affected customers was not made public.
- Victim
- Cyrillus
On 18 February 2026, Cyrillus β a French mail-order and high-street retailer of family and children's clothing β disclosed a data leak affecting its customers that originated from one of its external service providers rather than its own systems.
According to the publicly available elements, the leak was detected on 13 February 2026 and traced to a compromised third-party provider, making it a supply-chain incident: customer data held or processed on Cyrillus's behalf by that partner was exposed.
The precise scale of the breach β the number of customers affected and the exact categories of personal data exposed β was not made public in the available reporting. As a French retailer, Cyrillus is subject to GDPR notification obligations toward the CNIL and affected individuals.
The status of the incident and the brand's remediation steps remain unconfirmed at the time of reporting.
Sources
- fuitesinfos.frhttps://fuitesinfos.fr/article/2026-02-18-cyrillus
- cyrillus.frhttps://cyrillus.fr/policies/privacy-policy