Skip to content
Supply chainUnknown

Cyrillus data leak detected via a third-party provider

French family-clothing retailer Cyrillus reported a customer data leak originating from one of its third-party providers, detected on 13 February 2026 and confirmed from publicly disclosed elements; the full number of affected customers was not made public.

Victim
Cyrillus

On 18 February 2026, Cyrillus β€” a French mail-order and high-street retailer of family and children's clothing β€” disclosed a data leak affecting its customers that originated from one of its external service providers rather than its own systems.

According to the publicly available elements, the leak was detected on 13 February 2026 and traced to a compromised third-party provider, making it a supply-chain incident: customer data held or processed on Cyrillus's behalf by that partner was exposed.

The precise scale of the breach β€” the number of customers affected and the exact categories of personal data exposed β€” was not made public in the available reporting. As a French retailer, Cyrillus is subject to GDPR notification obligations toward the CNIL and affected individuals.

The status of the incident and the brand's remediation steps remain unconfirmed at the time of reporting.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-02-18-cyrillus
  2. cyrillus.frhttps://cyrillus.fr/policies/privacy-policy

Related incidents

Supply chainContained

Leak at Jeu Jouet

French online toy retailer JeuJouet.com warned customers in April 2026 that its Magento e-commerce platform was compromised in a mass exploitation campaign, potentially exposing names, email addresses, account credentials and order data; no banking details were affected.

Victim
Jeu Jouet