Watchdog probing customer data breach at retailer Sephora

Sephora has apologised and cancelled all existing passwords for customer accounts.
Sephora has apologised and cancelled all existing passwords for customer accounts.PHOTO: SEPHORA

Singapore's privacy watchdog is investigating international beauty retailer Sephora, after it reported a breach of its online users' data, affecting customers in Singapore, as well as other countries including Malaysia, Indonesia, Thailand, the Philippines, New Zealand and Australia.

Yesterday, the retailer, which has 12 stores in Singapore, issued a notice to its online customers stating that the data breach was discovered over the past two weeks.

In the e-mail, Sephora's managing director for South-east Asia Alia Gogi said: "Some personal information may have been exposed to unauthorised third parties, including first and last name, date of birth, gender, e-mail address and encrypted password, as well as data related to beauty preferences."

She added that no credit card information was accessed and that the company had "no reason to believe that any personal data has been misused".

In response to queries from The Straits Times, a spokesman for the Personal Data Protection Commission (PDPC) said: "PDPC has been notified by Sephora Digital SEA Pte Ltd of the incident and is looking into it."

On its website, Sephora said none of its physical stores was affected and it was safe for customers to use its mobile app and website.

"The security incident was limited to a database serving our South-east Asia, Hong Kong and Australia/New Zealand customers who used our online services," said Sephora.

 
 
 

It is not known how many customers were affected in the data breach.

Responding to queries from The Strait Times, a spokesman for Sephora South-east Asia said the experts it engaged found "no major vulnerability" on the company's websites.

No traces of a cyber attack were found either and the spokesman added that the company had no evidence any personal data has been misused.

The company has apologised and cancelled all existing passwords for customer accounts.

It has also conducted a review of its security systems and is offering a free personal data monitoring service to its customers, through a third-party provider. Impacted customers here can sign up for this service for a year, said the Sephora South-east Asia spokesman.

Customers who wish to avail themselves of the service can sign up at a link provided by Sephora while using a unique code by Nov 30.

In the e-mail, the company also recommended that its customers change the passwords of their accounts.

One Sephora customer, Miss Ada Sulaiman, said she was surprised when she found out about the breach, but was relieved to know that her payment details were not exposed.

"That said, I think it is still a cause of concern as the personal information that was breached is still a gateway to my financial details," said the 27-year-old media consultant.

"I wish there were more details about the monitoring service and possible recourse," she added.

"The next step for them after this is assuring me that my data will be safeguarded moving forward."

A version of this article appeared in the print edition of The Straits Times on July 30, 2019, with the headline 'Watchdog probing customer data breach at retailer Sephora'. Print Edition | Subscribe