April 23, 2026
A Week in Data Breaches: Rituals, Citizens Bank and More
Another week, another string of data breaches that serve as a reminder of just how vulnerable customer and citizen data remains across industries. From cosmetics memberships to banking records and half a million people’s medical histories, the past seven days have exposed serious weak spots in how organisations protect the information entrusted to them.
Rituals Confirms Membership Data Theft across Europe and the US
Netherlands-based cosmetics brand Rituals, which holds more than 41 million customers in its membership database, confirmed on 22 April that hackers had carried out an unauthorised download of member data. The company said the stolen records include full names, dates of birth, gender, postal and email addresses, phone numbers, preferred store locations and account types.
Rituals initially said the breach affected customers in Europe and the United Kingdom, but later confirmed that some US-based members were also involved. The company has not disclosed the total number of affected individuals, how the breach occurred, or whether it received any ransom demand, citing security reasons.
Rituals is the latest retailer to suffer a customer membership breach in what has been a difficult twelve months for the sector, following similar incidents at UK chains Co-op and Marks & Spencer last year.
Everest Ransomware Group Targets Citizens Bank and Frost Bank
In the US, the personal information of thousands of Citizens Bank customers has been compromised in a data breach that targeted a third-party vendor.
According to Citizens Bank spokesperson Rory Sheehan, the compromised data includes the type of information found on a personal cheque: customer names, addresses and account numbers. Sheehan said there is no evidence that a bad actor gained unauthorised access to the bank’s own network, and that the incident affected a small number of customers. The bank has put enhanced monitoring in place and is reaching out to affected customers, offering complimentary account monitoring.
Separately, the Everest ransomware group listed both Citizens and Texas-based Frost Bank on its dark web leak site on 20 April, claiming to hold approximately 3.4 million records from Citizens Bank and setting a six-day deadline before threatening to publish the data. Citizens is now facing two class-action lawsuits connected to the incident. Sheehan told WPRI’s 12 News that the allegations in the lawsuits are “generally inaccurate.”
UK Biobank Data Hacked and Listed for Sale on Alibaba
Perhaps the most alarming breach to surface this week involves UK Biobank, the medical research database that stores genetic, biological and health data from 500,000 British volunteers. UK technology minister Ian Murray told the House of Commons on 23 April that the charity had informed the government on 20 April that its data was being advertised for sale across multiple listings on Alibaba’s e-commerce platforms in China. At least one of the three identified listings appeared to contain data from all 500,000 participants.
Murray said the data did not include participants’ names, addresses, contact details or telephone numbers, but Biobank holds genome sequences, scans, blood samples and lifestyle information that could still carry re-identification risks, particularly in an era of AI-powered cross-referencing.
The government acted to have the listings removed, revoked access for three research institutions identified as the source of the leak, and asked Biobank to pause all further data access until a technical solution is in place to prevent future downloads.
The breach follows a Guardian investigation in March that found de-identified Biobank data had been inadvertently published online by researchers on dozens of occasions.
These incidents are customer experience failures that erode the trust organisations spend years trying to build. When personal data is stolen, customers do not separate the breach from the brand. A single incident can undo years of relationship-building, loyalty programme investment and carefully designed communications.
The lesson is that data protection sits at the heart of the customer relationship. Organisations that want to protect the experiences they deliver need to treat cybersecurity as a boardroom-level priority, invest in employee training and security-aware onboarding practices, and ensure that third-party vendors are held to the same standards as their own systems.
