IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Exclusive: Former Shiseido staff say company was aware of data breach weeks before official notice

Fake companies were created using the stolen identities of hundreds of Shiseido employees, former staff claim

Shiseido Company logo seen displayed on a smartphone

Management at cosmetics firm Shiseido was allegedly aware of a data breach on company systems weeks before officially reporting the incident to the Information Commissioner’s Office (ICO), according to former employees.

The UK data regulator told IT Pro that the Japanese cosmetics giant first reported “an incident” on 11 April, as per reporting rules that require a company to report any incidents to the ICO no later than 72 hours after first discovery.

However, two former Shiseido employees have told IT Pro that the company had been made aware of the data breach as early as 17 March, following multiple reports of employees having their identities stolen.

One of the victims, former business manager for Shiseido subsidiary NARS Cosmetics, Faye Hopping, detailed how she became aware of her personal details, including a scan of her photo ID, being used to set up a fraudulent company in her name:

“My postman intercepted a letter from Companies House towards the end of March which went to my old property. Luckily he did, or I would have been completely unaware that a company had been established in my name as director! The company was set up from 14/3/22 so I’m not sure when my details would have been breached,” she told IT Pro.

After “emailing countless people within Shiseido”, Hopping was only formally contacted by the company on 19 April with an offer to provide a 12 month subscription to Experian credit and web monitoring services.

Hopping described the offer as “bit late considering most of us were advised to join Experian & Cifas when we reported the incident to the fraud crime [police]”.

In the same correspondence dated 19 April, the cosmetics giant denied responsibility for the data breach, stating that “there is no evidence that the information has come from Shiseido”.

This is despite the list of victims reportedly including “hundreds” of former and current employees of Shiseido and its subsidiary brands, according to employee reports.

The company has refused to accept liability "as [the breach] could have come from a third party or even HMRC", another former employee who had a fake company set up in their name told IT Pro.

Having received a letter from Companies House in the first week of March congratulating them on becoming a company director, the former employee, who wishes to remain anonymous, promptly notified Action Fraud. However, they didn't find out about the breach until 7 April, when a former co-worker mentioned that they had "attended a Teams Q&A that day about a possible data breach".

"She [the co-worker] was told the company are not accepting liability and therefore had no intention of contacting former colleagues. I also found out that they sent out an email on the 17th March so they were aware of the breach at this point," the former employee said in an email to IT Pro.

"I have since sent four emails to Shiseido HR and Legal [department] but have yet to have a response. They sent out a scripted email on Thursday, 14 April from a new email address they set up specifically for the data breach and I forwarded all emails I’d previously sent to this email address but I have still yet to hear back from them. I have sent a subject of access request and a formal complaint to them but they haven’t responded," she added.

Hopping told IT Pro that she was in contact with 23 former colleagues who had also been affected, adding that “it’s disgusting how this whole incident has been handled".

Shiseido didn’t reply to IT Pro’s multiple requests for comment.

Under GDPR, companies have up to 72 hours to inform the ICO of any data incident, provided its clear the breach poses a risk to the rights and freedoms of data subjects. If the incident is likely to create significant risk, companies are also required to inform employees without undue delay.

If a company is found to have breached this rule without justification for a delay, they can be liable for a fine of up to £10 million or 2% of global turnover, whichever is higher.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022