Last month an employee from the beauty retailer Sephora abused the privileges she had been granted to carry out her duties in order to access the Sephora account of celebrity Jeffree Star.
Sephora is a French chain of cosmetic stores that have their own private label of cosmetics as well as featuring nearly 300 brands. These brand offer products such as makeup, skincare, perfume and haircare. Sephora would hold customer information such as name, address and contact number, amongst other sensitive information.
Star announced via the social media app Snapchat that he received a text from an unknown number however he was not a victim of smishing (SMS phishing). The employee confirmed to Star via text that she worked for Sephora and that she accessed his VIB Rouge account from Sephora’s system in order to obtain his phone number.
Once Star had been contacted by Sephora, he announced via Twitter that he was not the only celebrity that this employee had targeted:
Sephora’s data breach has ignited panic among many account holders who are questioning the protection and privacy of their personal data.
At this time, Sephora will be grateful that GDPR will not be introduced until 2018 as a breach of this nature could eventually cost them of a fine up to €20,000,000 or 4% of Global Turnover.
Understanding the importance of handling data and the importance of ensuring that employees follow corporate policies are crucial for any organisation. That includes handling sensitive data in the form of customer bank details, contact information and understanding of regulation such as PCI DSS. Any employee who comes into contact with payment information or credit card information should understand the importance of PCI DSS and its impact on them and their organisation.
Organisations can best ensure employees follow those policies and best practices by leveraging an awareness training program that focuses on best data handling security practices.
Does this sound of interest to your organisation?