Sephora customers' data breached, names, e-mail addresses and passwords exposed

Sephora has apologised and cancelled all existing passwords for customer accounts.
Sephora has apologised and cancelled all existing passwords for customer accounts.PHOTO: SEPHORA

SINGAPORE - International beauty retailer Sephora has admitted to a breach of its online users’ data, affecting customers in Singapore as well as in other countries including Malaysia, Indonesia, Thailand, Philippines, New Zealand and Australia. 

On Monday (July 29) the popular makeup retailer, which has 12 stores in Singapore, issued a notice to its online customers to say that the data breach was discovered over the past two weeks.

In the e-mail, Sephora’s managing director of Southeast Asia Alia Gogi said: “Some personal information may have been exposed to unauthorized third parties, including first and last name, date of birth, gender, e-mail address and encrypted password, as well as data related to beauty preferences.”

She added that no credit card information was accessed and that the company had “no reason to believe that any personal data has been misused”.

On its website, Sephora said that none of its physical stores were affected and that it was safe for customers to use its mobile app and website.

“The security incident was limited to a database serving our Southeast Asia, Hong Kong SAR and Australia/New Zealand customers who used our online services,” the company said. 

It is not known how many customers  were affected in the data breach.


In response to queries from The Straits Times, a spokesman from Sephora South-east Asia said that the experts it engaged found “no major vulnerability” on the company’s websites.

No traces of a cyber attack were found either, and the spokesman added that it had “no evidence” of  personal data being  misused.

The company has apologised and cancelled all existing passwords for customer accounts. 

It has also conducted a review of its security systems and is offering a free personal data monitoring service to its customers, through a third-party provider.

Customers who wish to avail themselves of the service can sign up at a link provided by Sephora while using a unique code by Nov 30.

In the e-mail, the company also recommended that its customers change the passwords of their accounts.

The French brand was founded in 1970 and, in addition to its own label, carries hundreds of other brands with products ranging from cosmetics, skincare, fragrance, beauty tools, personal care products and haircare.

In response to queries from The Straits Times, a spokesman from the Personal Data Protection Commission said: “PDPC has been notified by Sephora Digital SEA Pte Ltd. of the incident and is looking into it.”