Cortina Watch ordered to undergo cyber security audit after major data breach

Luxury watch retailer Cortina Watch has been mandated to engage a third-party cyber-security vendor for an extensive audit following a significant data breach in 2023. The breach compromised the personal information of 3,953 individuals, with details such as full names, contact numbers, and some bank account numbers stolen and subsequently uploaded on the dark web.

The Personal Data Protection Commission (PDPC) revealed in a judgment published on May 23 that Cortina Watch would not face a fine. The decision considered the breach’s impact, the company’s prompt response, and cooperation during the investigation.

Cortina Watch reported the breach on June 5, 2023, due to a ransomware attack on its server. Subsequent investigations revealed that the retailer had been subjected to multiple cyber attacks between April 30 and June 4, 2023. On May 27, 2023, a hacker compromised a test account used for virtual private network (VPN) access, stealing 5.82GB of data and deploying LockBit 3.0 ransomware to encrypt additional files on the retailer’s servers.

The stolen data, including usernames, passwords, customer data, inventory details, sales orders, and strategies, was leaked on the dark web. In response, Cortina Watch took all its servers offline from June 4 to June 9, 2023, and implemented new cyber-security measures, including data encryption—a step previously not undertaken.

The PDPC’s judgment noted that Cortina Watch admitted to not having reasonable access controls in place, particularly with its test VPN accounts. The company also failed to enforce a robust password policy, requiring only a minimum of eight-character passwords without more stringent measures like complex usernames or multi-factor authentication.