International cosmetics retailer Sephora is today in damage control after informing customers across the Asia Pacific, including in Australia, that their personal information and encrypted passwords may have been exposed to an “unauthorised third party”.
Becoming the latest business to fail in safeguarding consumer data, Sephora has this week apologised to customers but has yet to even confirm how many shoppers are affected by the breach.
The company said it discovered the breach “over the last two weeks”, involving the names, dates of birth, genders, email addresses, encrypted passwords and even the “beauty preferences” of e-commerce customers.
All existing passwords have been cancelled for affected accounts, which indicates Sephora is aware of the extent of the leak, despite so far failing to publicly confirm how many Australian users could be vulnerable.
The retailer confirmed on Wednesday they contacted the Office of the Australian Information Commissioner (OAIC) on 29 July.
Sephora, owned by international luxury house LVMH, has been making waves in the local market since landing in 2015, commanding a large following of particularly young consumers who shop with the brand online and in its growing number of Australian stores.
Customers in Singapore, Malaysia, Indonesia, Thailand, the Philippines, Hong Kong and New Zealand have also been affected by the breach. Sephora is yet to confirm the circumstances behind the breach, including whether they were hacked by a malicious third party.
Within the hour of this story being originally published Sephora responded to a series of questions sent on Tuesday, revealing experts concluded “no major vulnerability” was found on its websites.
“The external independent experts we engaged to investigate concluded that no major vulnerability was found on Sephora SEA’s websites, nor did they find any traces of a cyberattack,” the company said in a statement on Wednesday.
SmartCompany understands an investigation is still underway, while Sephora has yet to confirm the circumstances behind the breach.
Beth Glancey, the country manager for Sephora in Australia and New Zealand, sent a short statement to media on Wednesday morning reiterating information contained in customer emails sent earlier this week.
“We have cancelled all existing passwords for customer accounts and thoroughly reviewed our security systems. We have reached out to our affected customers to explain what happened, and what steps they should take,” she said.
“Being transparent and protecting the safety of our customers’ information is our utmost priority.”
Sephora has not identified who the third party is, or whether they know, but claims it has “no reason to believe that any personal data has been misused”.
Further, it claims “no credit card information was accessed” by the mysterious third party.
Sephora has also yet to specify when exactly the data breach occurred and when they first became aware of the breach, saying only that they became aware of the matter in the last two weeks.
The company was asked to be more specific but declined to do so.
Sephora said it has “implemented high-level monitoring and alerting” for future unusual activity and “rotated access credentials” for all internal human and system users.
“Based on our investigation, the immediate mitigation measures undertaken, upgrades to security and increased monitoring of our systems, we believe that this incident has been contained,” the company said on Wednesday.
Worrying trend continues
The cosmetics brand is not the first business, large or small, to fail in its responsibility to safeguard consumer data. It’s not even the first this week.
National Australia Bank apologised on Monday after revealing it accidentally leaked the names and contact details of 13,000 customers.
Back in March, outdoor retailer Kathmandu admitted it was hacked, resulting in the leak of personal and payment information of customers.
In fact, more than 260 data breaches occurred between October and December last year, OAIC data shows. There have been more than 800 since February last year, 64% of which were as a result of malicious or criminal attacks.
Internationally the trend is no better. Only earlier this week credit company Equifax was forced to begin paying $125 settlements to some 148 million customers whose data it lost in a breach several years ago.
Meanwhile, Facebook was also handed a $5 billion fine in the United States over the Cambridge Analytica scandal. The Federal Trade Commission in the United States boasted the penalty is 20-times larger than any other cyber security penalty ever imposed, although it represents less than 10% of Facebook’s 2018 revenue.
There is further concern among experts the proliferation of large scale data breaches is reducing the cost of personal information on the black market, making it easier for scammers to engage in identity theft and other fraudulent activity.
The ACCC has been tracking a marked rise in local scam activity, with losses among business and consumers skyrocketing in recent years.
This story was updated at 12:13PM AEST 31 July to include updated information provided by Sephora.