IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Exclusive: Former Shiseido staff say company was aware of data breach weeks before official notice

Fake companies were created using the stolen identities of hundreds of Shiseido employees, former staff claim

Shiseido Company logo seen displayed on a smartphone

Management at cosmetics firm Shiseido was allegedly aware of a data breach on company systems weeks before officially reporting the incident to the Information Commissioner’s Office (ICO), according to former employees.

The UK data regulator told IT Pro that the Japanese cosmetics giant first reported “an incident” on 11 April, as per reporting rules that require a company to report any incidents to the ICO no later than 72 hours after first discovery.

However, two former Shiseido employees have told IT Pro that the company had been made aware of the data breach as early as 17 March, following multiple reports of employees having their identities stolen.

One of the victims, former business manager for Shiseido subsidiary NARS Cosmetics, Faye Hopping, detailed how she became aware of her personal details, including a scan of her photo ID, being used to set up a fraudulent company in her name:

“My postman intercepted a letter from Companies House towards the end of March which went to my old property. Luckily he did, or I would have been completely unaware that a company had been established in my name as director! The company was set up from 14/3/22 so I’m not sure when my details would have been breached,” she told IT Pro.

After “emailing countless people within Shiseido”, Hopping was only formally contacted by the company on 19 April with an offer to provide a 12 month subscription to Experian credit and web monitoring services.

Hopping described the offer as “bit late considering most of us were advised to join Experian & Cifas when we reported the incident to the fraud crime [police]”.

In the same correspondence dated 19 April, the cosmetics giant denied responsibility for the data breach, stating that “there is no evidence that the information has come from Shiseido”.

This is despite the list of victims reportedly including “hundreds” of former and current employees of Shiseido and its subsidiary brands, according to employee reports.

The company has refused to accept liability "as [the breach] could have come from a third party or even HMRC", another former employee who had a fake company set up in their name told IT Pro.

Having received a letter from Companies House in the first week of March congratulating them on becoming a company director, the former employee, who wishes to remain anonymous, promptly notified Action Fraud. However, they didn't find out about the breach until 7 April, when a former co-worker mentioned that they had "attended a Teams Q&A that day about a possible data breach".

"She [the co-worker] was told the company are not accepting liability and therefore had no intention of contacting former colleagues. I also found out that they sent out an email on the 17th March so they were aware of the breach at this point," the former employee said in an email to IT Pro.

"I have since sent four emails to Shiseido HR and Legal [department] but have yet to have a response. They sent out a scripted email on Thursday, 14 April from a new email address they set up specifically for the data breach and I forwarded all emails I’d previously sent to this email address but I have still yet to hear back from them. I have sent a subject of access request and a formal complaint to them but they haven’t responded," she added.

Hopping told IT Pro that she was in contact with 23 former colleagues who had also been affected, adding that “it’s disgusting how this whole incident has been handled".

Shiseido didn’t reply to IT Pro’s multiple requests for comment.

Under GDPR, companies have up to 72 hours to inform the ICO of any data incident, provided its clear the breach poses a risk to the rights and freedoms of data subjects. If the incident is likely to create significant risk, companies are also required to inform employees without undue delay.

If a company is found to have breached this rule without justification for a delay, they can be liable for a fine of up to £10 million or 2% of global turnover, whichever is higher.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

What is zero trust?
network security

What is zero trust?

14 Jul 2022
Retbleed hardware-level flaw brings overhead woe to Intel and AMD
Hardware

Retbleed hardware-level flaw brings overhead woe to Intel and AMD

13 Jul 2022
An analysis of the European cyber threat landscape
Whitepaper

An analysis of the European cyber threat landscape

8 Jul 2022
Solve cyber resilience challenges with storage solutions
Whitepaper

Solve cyber resilience challenges with storage solutions

4 Jul 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022