3rd Party Risk Management,
Governance & Risk Management,
Incident & Breach Response
Retailers Experience Notable Surge in Data Breaches
In a troubling security development, jewelry retailer Tiffany & Co. recently announced that hackers compromised the personal information of South Korean customers via a third-party vendor’s platform. This notification followed a similar breach disclosed by its sister brand, Dior, heightening concerns over cybersecurity vulnerabilities within the retail sector.
The breach at Tiffany’s was reported to have occurred on April 8 but was only discovered by the company on May 9, leading to customer notifications as outlined in emails communicated to affected individuals, as reported by the Chosun Daily.
Notably, Dior, which is part of French luxury conglomerate LVMH, also acknowledged a data breach that involved the unauthorized access of its customers’ personal information. LVMH clarified that no banking or payment details were compromised in either incident.
Despite these breaches, LVMH’s extensive portfolio—comprising renowned brands like Christian Dior Couture, Sephora, and Bulgari—reported no additional security incidents in the past month. However, challenges loom for Dior as it faces potential regulatory scrutiny in South Korea for its breach reporting practices, as the company only notified the Personal Information Protection Commission (PIPC) without adequately involving other authorities, which could result in significant fines.
This surge in breaches comes on the heels of high-profile incidents across the retail landscape, including a cyberattack on Marks & Spencer that disrupted operations and incurred substantial financial losses. The incident forced the British retailer to temporarily suspend web and app transactions, impacting its customer base significantly.
Additionally, lingerie retailer Victoria’s Secret acknowledged a cybersecurity incident last Thursday, prompting the temporary shutdown of its website and selected in-store services as a precaution. The company is currently working diligently to restore normal operations.
The recent data breaches at Tiffany & Co. and Dior exemplify the persistent threat of cyberattacks targeting retail giants, highlighting the vulnerabilities associated with third-party vendors. These incidents reinforce the need for businesses to implement robust cybersecurity measures, including adherence to frameworks such as the MITRE ATT&CK Matrix. As organizations face increasing threats, addressing potential techniques—such as initial access and privilege escalation—becomes crucial to safeguarding sensitive customer information.
