Tiffany & Co. informed some customers in Canada that ‘an unauthorized third party’ accessed and obtained some client information on or around May 12.Fred Lum/The Globe and Mail
Tiffany & Co. told some customers in Canada on Monday that a data breach four months ago may have leaked their names, postal and e-mail addresses, phone numbers and “sales data” in one of several attacks on luxury retailers in recent months.
In an e-mail seen by The Globe and Mail, the high-end jewellery brand owned by luxury conglomerate LVMH said that “an unauthorized third party” accessed and obtained some client information on or around May 12.
It did not provide further details on what type of sales data may have been accessed.
While the company did not state when the issue was identified, they learned about the type of data leaked for some customers on Sept. 14, according to the e-mail, and notifications were sent a day later on Monday. “To date, we have no evidence of harm or further misuse of the affected data in connection with the incident,” the Tiffany & Co. e-mail said.
Canadian companies struggle to defend against data breaches as incidents mount
Tiffany & Co. and LVMH did not respond to multiple requests for comment about the scale of the breach or measures taken to protect customer data. A spokesperson for the Office of the Privacy Commissioner of Canada, Vito Pilieci, said it is aware of the incident and is “actively engaged” in ensuring that the company is taking the necessary steps to protect Canadians’ personal information.
Denis Kucinic, vice-president of operations at Canadian cybersecurity firm Packetlabs, said that high-end retailers are often targeted specifically and every hour counts when it comes to mitigating the damage from these types of leaks.
“You‘ve got to think about it from an attacker’s perspective. They have addresses of people that have luxury goods,” he said. “These people have all this jewellery – now they know where they live.”
Knowing the addresses and contact details of individuals shopping for high-end goods and how much money they spend may allow attackers to prioritize who to target with further hacks, including through secondary information from other breaches, Mr. Kucinic said.
It can also help them track high-profile individuals, “getting information on, for example, basketball players.”
It remains unclear how the data was leaked or who was behind a possible attack if the incident was malicious.
Similar breaches involving luxury brands such as Gucci, Balenciaga and Alexander McQueen, confirmed on the same day, were linked to a cybercrime group called “ShinyHunters.” The group has claimed to have stolen data tied to more than 7.4 million unique e-mail addresses and sales data such as “Total Sales,” revealing the amount of money a customer spent with a given company, according to a BBC report.
These leaks can lead to further harm by helping steal banking details or enable identity theft when combined with data from other breaches, Mr. Kucinic said. “They can start building this profile of people and all the information that you can get off them.”
Earlier this summer, jewellery brand Cartier also experienced a breach. Another leak affected hundreds of thousands of global customers at LVMH’s Louis Vuitton in June. Similar leaks affected the luxury parent company this summer in Britain and South Korea.
Mr. Kucinic said some of the spikes can be attributed to the approaching holiday shopping season, with hackers holding customer data for ransom knowing that it may be more pressing for retailers to pay out.
How to shrink your digital footprint and boost online security
Terry Cutler, chief executive officer of Quebec-based cybersecurity firm Cyology Labs Inc., said the biggest challenge for customers is when companies don’t provide clear guidance on what to do after a breach. In Tiffany’s case, customers may be confused given that one type of the listed leaked information – “sales data” – was left vague.
The company gave few instructions to customers in their notice except to stay alert for suspicious calls or communications.
Mr. Cutler, however, recommended that any affected clients change passwords on the site and anywhere else they’ve used them while enabling two-factor authentication.
More importantly, he said customers should demand clarity from the company, including “what fields were exposed, the time frame, and whether payment data was impacted.” Under Canadian law and the Personal Information Protection and Electronic Documents Act, “you have the right to that information,” Mr. Cutler said.