Sephora hit with a data breach across SEA and New Zealand

Sephora has confirmed a data breach, compromising personal information of some customers who have used its online services in Singapore, Malaysia, Indonesia, Thailand, Philippines, Hong Kong SAR, Australia and New Zealand.

In an email to consumers seen by Marketing, Alia Gogi, managing director SEA, Sephora said the breach occurred over the last two weeks but did not clarify the exact number of those affected. Personal information including first and last name, date of birth, gender, email address and encrypted password, as well as data related to beauty preferences were some of the data that have been exposed to unauthorised third parties.

Gogi also clarified that no credit card information was accessed, and said the team has "no reason to believe that any personal data has been misused". Apologising for any concern and inconvenience caused, Gogi said as a precaution, all existing passwords for customer accounts have been cancelled. The SEPHORA team has reviewed its security systems and is also offering a personal data monitoring service at no cost through a third-party provider. The beauty brand recommends users to change to a new password and register for the personal data monitoring service by 30 November 2019.

Marketing has reached out to Sephora for additional information.

Recently, there has been a number of data breaches in Singapore. In May, Singapore Red Cross (SRC) was hacked, compromising personal data of 4,297 interested donors. Name, contact number, email, declared blood type, preferred appointment date/time, and preferred location for blood donations were some of the information that was accessed by the hacker. However, SRC's other databases and the Health Sciences Authority’s systems were unaffected by the incident.

Earlier this month, F&B operator Spize was fined SG$20,000 by the Personal Data Protection Commission (PDPC) for failing to appoint a data protection officer and not making reasonable security arrangements to prevent the unauthorised disclosure of customer’s personal data, among other breaches. This comes after a data breach on 12 August 2017.

AIA Singapore also received a penalty of SG$10,000 by the Personal Data Protection Commission (PDPC) last month for failure to take “reasonable” security arrangements in its letter generation process. This comes after 245 letters meant for various customers that the insurance company generated on 22 and 27 December 2017 were sent to two customers.

Read also:
PR in the era of cyber attacks: Winning back public trust after a data breach
Sephora picks former head of GetResponse Malaysia to push eCommerce growth
Sephora marketer on the 3 musts on mobile