3rd Party Risk Management,
Governance & Risk Management,
Incident & Breach Response
Retailers Report an Increase in Data Breaches
Tiffany & Co. has reported that hackers accessed sensitive customer data of South Korean clients through a third-party vendor’s platform. This revelation comes shortly after a similar announcement from sister brand Dior, which also fell victim to a data breach impacting its clientele.
The breach involving Tiffany’s took place on April 8, but the company did not uncover the incident until May 9, when it began notifying customers about the theft of their personal information, as reported by Chosun Daily.
Dior’s disclosure, which was also made public recently, indicated that personal information belonging to its customers had been compromised. The parent company, LVMH, asserted that bank account and payment card details remained secure and unaffected by the breach.
LVMH’s extensive portfolio encompasses numerous well-known brands, yet none have reported any data security incidents in the past month, raising questions about the security measures employed across its network.
According to reports from the Korean news outlet JoongAng Daily, Dior may face regulatory scrutiny in South Korea for not fully adhering to data breach reporting protocols. This could involve penalties, as the brand reportedly only notified the Personal Information Protection Commission (PIPC) without informing additional necessary agencies, potentially leading to fines exceeding 30 million won, approximately $21,859.
These breaches come amid a series of high-profile cyberattacks affecting major retail brands globally, including Marks & Spencer, which experienced a cyber incident in April that halted operations across its digital platforms, incurring significant financial losses (see: M&S Reportedly Hacked Using Third-Party Credentials).
Victoria’s Secret also acknowledged a cybersecurity incident this week through an announcement on its website, noting that it took certain online services offline as a precautionary measure while working diligently to restore full operational capabilities.
In evaluating these breaches from a cybersecurity framework, the MITRE ATT&CK Matrix suggests that tactics such as initial access, which relates to gaining entry into the system through third-party vulnerabilities, may have been instrumental in these attacks. Continued vigilance and improved security measures are critical for businesses, especially those relying on third-party vendors, to mitigate potential threats.
