Danish jewellery maker Pandora has become the latest high-profile retailer to be targeted by a cyber-attack, following a similar breach at Chanel earlier this week.
The attacks have left Salesforce, who works with both, warning customers to follow security best practices including enforcing MFA.
Diamond seller Pandora reportedly wrote to its customers this week confirming it had experienced a cybersecurity attack, and that “some customer information was accessed through a third party-platform that we use.”
The exposed data was “common types of data…name and email address” Pandora told customers, with no passwords, credit card details or other “confidential data” involved.
The jeweller informed customers that there was no evidence the exposed data had been shared or published, and it had “strengthened” its security measures.
Bleeping Computer reported that the third-party platform in question was Salesforce. The CRM firm has regularly highlighted the jewellery firm’s use of its platforms.
Earlier this week Chanel was reportedly hit by a cyberattack, again reportedly via its Salesforce database.
On Monday the fashion and jewellery giant’s North America website was “temporarily down for maintenance. TI asked Chanel to comment but have not had a response.
On Tuesday a Salesforce spokesperson told us: “Chanel is a valued customer, and our teams are proactively engaged to support them in any way they need.”
Salesforce itself has not been compromised, they said, “and this issue is not due to any known vulnerability in its platform.”
“While Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their data safe — especially amid a rise in sophisticated phishing and social engineering attacks,” the spokesperson continued.
“We continue to encourage all customers to follow security best practices, including enabling multi-factor authentication (MFA), enforcing the principle of least privilege, and carefully managing connected applications.”
Jon Tamplin, head of Security at ThreatAware, said: “Pandora’s statement might have said that “only very common types of data” have been stolen; however, names and email addresses are exactly what attackers need to carry out phishing attacks.”
Tamplin said that Pandora had confirmed the breach was the result of attackers gaining access to a third-party platform. “This is a common trend we see by attackers when targeting large organisations, especially retailers who are dependent on these providers to carry out day-to-day operations.
Christoph C. Cemper, founder of AIPRM, added: “Retailers should make sure names and emails are encrypted, and not just payment card information. Encrypting commonly accessible consumer data can help limit its exposure in the event of a breach.”
The attacks follow similar attacks in the retail sector that hit the likes of Marks & Spencer, the Co-operative Group and Louis Vuitton.
