Management at cosmetics firm Shiseido was allegedly aware of a data breach on company systems weeks before officially reporting the incident to the Information Commissioner’s Office (ICO), according to former employees.
The UK data regulator told IT Pro that the Japanese cosmetics giant first reported “an incident” on 11 April, as per reporting rules that require a company to report any incidents to the ICO no later than 72 hours after first discovery.
However, two former Shiseido employees have told IT Pro that the company had been made aware of the data breach as early as 17 March, following multiple reports of employees having their identities stolen.
One of the victims, former business manager for Shiseido subsidiary NARS Cosmetics, Faye Hopping, detailed how she became aware of her personal details, including a scan of her photo ID, being used to set up a fraudulent company in her name:
“My postman intercepted a letter from Companies House towards the end of March which went to my old property. Luckily he did, or I would have been completely unaware that a company had been established in my name as director! The company was set up from 14/3/22 so I’m not sure when my details would have been breached,” she told IT Pro.
After “emailing countless people within Shiseido”, Hopping was only formally contacted by the company on 19 April with an offer to provide a 12 month subscription to Experian credit and web monitoring services.
Hopping described the offer as “bit late considering most of us were advised to join Experian & Cifas when we reported the incident to the fraud crime [police]”.
In the same correspondence dated 19 April, the cosmetics giant denied responsibility for the data breach, stating that “there is no evidence that the information has come from Shiseido”.
This is despite the list of victims reportedly including “hundreds” of former and current employees of Shiseido and its subsidiary brands, according to employee reports.
The company has refused to accept liability "as [the breach] could have come from a third party or even HMRC", another former employee who had a fake company set up in their name told IT Pro.
Having received a letter from Companies House in the first week of March congratulating them on becoming a company director, the former employee, who wishes to remain anonymous, promptly notified Action Fraud. However, they didn't find out about the breach until 7 April, when a former co-worker mentioned that they had "attended a Teams Q&A that day about a possible data breach".
"She [the co-worker] was told the company are not accepting liability and therefore had no intention of contacting former colleagues. I also found out that they sent out an email on the 17th March so they were aware of the breach at this point," the former employee said in an email to IT Pro.
"I have since sent four emails to Shiseido HR and Legal [department] but have yet to have a response. They sent out a scripted email on Thursday, 14 April from a new email address they set up specifically for the data breach and I forwarded all emails I’d previously sent to this email address but I have still yet to hear back from them. I have sent a subject of access request and a formal complaint to them but they haven’t responded," she added.
Hopping told IT Pro that she was in contact with 23 former colleagues who had also been affected, adding that “it’s disgusting how this whole incident has been handled".
Shiseido didn’t reply to IT Pro’s multiple requests for comment.
Under GDPR, companies have up to 72 hours to inform the ICO of any data incident, provided its clear the breach poses a risk to the rights and freedoms of data subjects. If the incident is likely to create significant risk, companies are also required to inform employees without undue delay.
If a company is found to have breached this rule without justification for a delay, they can be liable for a fine of up to £10 million or 2% of global turnover, whichever is higher.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
The IT Pro Podcast: The front line of fraud techIT Pro Podcast With tools such as deepfakes, the future of fraud tech relies on cutting edge AI as much as good security practice
-
Podcast transcript: The front line of fraud techIT Pro Podcast Read the full transcript for this episode of the IT Pro Podcast
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
