Tiffany & Co. data breach affects South Korean customers

Tiffany & Co recently said it suffered a significant data security incident that compromised the sensitive personal information of its South Korean customers.

 

Owned by LVMH, the world’s largest luxury goods conglomerate, Tiffany & Co. is one of the world’s most prestigious houses for jewellery and accessories. Some of the other brands under the LVMH umbrella include Louis Vuitton, Christian Dior, Givenchy, Kenzo, Moët & Chandon, Dom Pérignon, and Sephora.

 

Recently, South Korean media reported that on May 26, Tiffany Korea emailed several customers notifying them of a data security incident. The breach occurred when an unauthorised threat actor gained access to a vendor platform the company used for managing customer data.

 

Tiffany Korea immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

According to the email sent to affected customers, threat actors infiltrated the network of Tiffany’s vendor on April 8. After an investigation, the company determined on May 9, that the sensitive personal information of its customers including names, addresses, phone numbers, email addresses, internal customer ID numbers, and purchase history was exposed during the breach.

 

In a statement shared with the media, a Tiffany Korea customer service representative said, “We informed only affected customers via email. Suspicious activity was detected on a third-party application managing global customer data, and our headquarters’ security team has completed technical and legal countermeasures.”

 

The company added that no financial information, such as payment card data was compromised.

 

Earlier this month, another LVMH brand, Dior, said it suffered a data security incident where threat actors stole personal data of its customers.

 

Similar to the incident involving Tiffany Korea, the compromised data included names, gender, phone numbers, email addresses, mailing addresses, purchase amounts, and shopping preferences, however, threat actors did not access financial data such as bank account numbers, IBANs, or credit card information.