Sephora data breach impacts Southeast Asia customers
A Sephora data breach has been confirmed, spanning customers from Hong Kong across Southeast Asia and into Australasia.
The LVMH-owned company has emailed online customers who may have been affected confirming some of their data may have been accessed and copied.
The international beauty retailer said an unknown number of customers have been affected in territories including Hong Kong, Singapore, Malaysia, Indonesia, Thailand, the Philippines, New Zealand and Australia. Stores were not affected with the compromised data relating only to people using the brand’s online services in the region.
The firm sent an email out to its users on Monday explaining that the breach had become apparent over the course of the past fortnight.
“Some personal information may have been exposed to unauthorised third parties,” said the email signed by Sephora’s MD Southeast Asia Alia Gogi, “including first and last name, date of birth, gender, email address and encrypted password, as well as data related to beauty preferences.”
The email (pictured above) explaining the Sephora data breach stated that credit-card information does not appear to have been accessed and that personal data had not been misused.
The firm has responded by resetting all existing passwords and conducting a full security review, as well as offering customers a free personal monitoring service, available via a unique code and sign-up link directing users to a third party solutions provider.
A Sephora spokesperson told Inside Retail the company had engaged with independent experts to investigate the incident, and concluded that no major vulnerability was found in the company’s website – nor did they find any trace of a cyber attack.
Additionally, the brand has reviewed its security, having implemented a high level of monitoring and alerting for further unusual activity, implemented 2-factor authentication for all privileged systems, validated its security plan with internal and external security auditors, and has had a third-party independent from its external security experts perform a penetration test on its security.
This story first appeared on sister site Inside Retail Asia.