SINGAPORE: Personal details of Sephora’s online customers in Singapore, Malaysia, Indonesia, Thailand, the Philippines, Hong Kong, Australia and New Zealand have been leaked, the international beauty retailer said on Monday (Jul 29).
Sephora said in a notice to customers that the data breach, which involved "some customers", had resulted in the exposure of personal information to unauthorised third parties.
Sephora did not elaborate on the number of users affected.
The personal information compromised includes the user’s first and last name, date of birth, gender, email address, encrypted password, as well as data related to beauty preferences.
“Please be reassured that no credit card information was accessed, and we have no reason to believe that any personal data has been misused,” it added.
Managing director for Sephora Southeast Asia, Alia Gogi said in an email to customers that all existing passwords for customer accounts have been cancelled as a precaution.
“We are also offering a personal data monitoring service, at no cost to you, through a leading third-party provider,” she added.
The French beauty giant also said that it has “thoroughly reviewed” its security systems.
Sephora’s online users are advised to change their password if they have not already done so. They should also register for the personal data monitoring service online by Nov 30.
None of the physical stores were affected, said the cosmetic retailer on its frequently asked questions page.
"The security incident was limited to a database serving our Southeast Asia, Hong Kong SAR and Australia/New Zealand customers who used our online services," Sephora stated, adding that it was safe for customers to continue using its website and mobile app.
The company also said it detected the data breach "over the last two weeks" and immediately appointed independent experts to investigate. Affected customers were notified as soon as the details of the incident had been verified.
A spokesperson from Brunswick Group, a strategy advisory firm working with Sephora Southeast Asia, told CNA that the company's regional databases operate independently.
Sephora customers who are not from the involved markets are "not affected in any way by this incident", the spokesperson said.
The external independent experts engaged by Sephora also concluded that there was "no major vulnerability" found on Sephora's Southeast Asia websites and also did not find any traces of a cyberattack.
"We can also confirm no credit card information was accessed and have no evidence that any personal data has been misused," the spokesperson added.