Tiffany Co reveals data breach compromised some Canadian customers personal information The Globe and Mail

pTiffany Co informed some customers in Canada that an unauthorized third party accessed and obtained some client information on or around May 12Fred LumThe Globe and MailppTiffany Co told some customers in Canada on Monday that a data breach four months ago may have leaked their names postal and email addresses phone numbers and sales data in one of several attacks on luxury retailers in recent monthsppIn an email seen by The Globe and Mail the highend jewellery brand owned by luxury conglomerate LVMH said that an unauthorized third party accessed and obtained some client information on or around May 12 ppIt did not provide further details on what type of sales data may have been accessedppWhile the company did not state when the issue was identified they learned about the type of data leaked for some customers on Sept 14 according to the email and notifications were sent a day later on Monday To date we have no evidence of harm or further misuse of the affected data in connection with the incident the Tiffany Co email said ppCanadian companies struggle to defend against data breaches as incidents mountppTiffany Co and LVMH did not respond to multiple requests for comment about the scale of the breach or measures taken to protect customer data A spokesperson for the Office of the Privacy Commissioner of Canada Vito Pilieci said it is aware of the incident and is actively engaged in ensuring that the company is taking the necessary steps to protect Canadians personal information ppDenis Kucinic vicepresident of operations at Canadian cybersecurity firm Packetlabs said that highend retailers are often targeted specifically and every hour counts when it comes to mitigating the damage from these types of leaksppYouve got to think about it from an attackers perspective They have addresses of people that have luxury goods he said These people have all this jewellery now they know where they liveppKnowing the addresses and contact details of individuals shopping for highend goods and how much money they spend may allow attackers to prioritize who to target with further hacks including through secondary information from other breaches Mr Kucinic said ppIt can also help them track highprofile individuals getting information on for example basketball players ppIt remains unclear how the data was leaked or who was behind a possible attack if the incident was malicious ppSimilar breaches involving luxury brands such as Gucci Balenciaga and Alexander McQueen confirmed on the same day were linked to a cybercrime group called ShinyHunters The group has claimed to have stolen data tied to more than 74 million unique email addresses and sales data such as Total Sales revealing the amount of money a customer spent with a given company according to a BBC reportppThese leaks can lead to further harm by helping steal banking details or enable identity theft when combined with data from other breaches Mr Kucinic said They can start building this profile of people and all the information that you can get off them ppEarlier this summer jewellery brand Cartier also experienced a breach Another leak affected hundreds of thousands of global customers at LVMHs Louis Vuitton in June Similar leaks affected the luxury parent company this summer in Britain and South KoreappMr Kucinic said some of the spikes can be attributed to the approaching holiday shopping season with hackers holding customer data for ransom knowing that it may be more pressing for retailers to pay outppHow to shrink your digital footprint and boost online securityppTerry Cutler chief executive officer of Quebecbased cybersecurity firm Cyology Labs Inc said the biggest challenge for customers is when companies dont provide clear guidance on what to do after a breach In Tiffanys case customers may be confused given that one type of the listed leaked information sales data was left vagueppThe company gave few instructions to customers in their notice except to stay alert for suspicious calls or communications ppMr Cutler however recommended that any affected clients change passwords on the site and anywhere else theyve used them while enabling twofactor authenticationppMore importantly he said customers should demand clarity from the company including what fields were exposed the time frame and whether payment data was impacted Under Canadian law and the Personal Information Protection and Electronic Documents Act you have the right to that information Mr Cutler said ppReport an editorial errorppReport a technical issueppEditorial code of conductppAuthors and topics you follow will be added to your personal news feed in Followingpp Copyright 2025 The Globe and Mail Inc All rights reservedppAndrew Saunders President and CEOp