Response ready

eStar sales director Alan Singer talks cyber resilience.

On Monday, 5th August 2019, the CEO of Sephora, Alia Gogi, emailed Sephora customers in South East Asia, that Sephora had become aware of a data breach affecting customer data in South East Asia, which (they estimate), occurred sometime during the preceding fortnight.

Sephora’s website says that not only is it the leading chain of perfume and cosmetics stores in France, but also a poweful beauty presence globally.

Sephora operates 1,900+ stores in 29 countries, with an expanding base of over 200 stores across the Asia Pacific region including Australia.

Sephora, whilst unable to prevent the breach, has done the next best thing: creating a well-conceived and professionally orchestrated response to the data breach. Sephora’s response has obviously been the beneficiary of extensive pre-planning and careful attention to all important touchpoints required in such a crisis.

Firstly, Sephora is to be acknowledged for having the technical capability to identify and qualify the breach, and for immediately going public to report it and launching a competent response plan.

In the CEO’s email, Sephora reassured customers that, "no credit card information was accessed," and they have, "no reason to believe that any personal data has been misused.” This is very good news to all involved as it eliminates one of the most dire aspects to the data breach, which would be very inconvenient and financially punishing for customers in the event that credit card details were stolen and misused.

In the same email, the CEO then went on to provide detail on the personal information that Sephora believe has been wrongfully accessed: customer first and last name, date of birth, gender, email address, encrypted password, and data related to beauty preferences.

By being explicit on the actual personal information exposed, Sephora has taken a big step towards creating a level of certainty in the mind of customers, so that it is clear what actual data was compromised and it is not left to a customer’s imagination.

And beyond a written summary of what has occurred and a sincere written apology to its customers for the breach, Sephora very capably worked to alleviate concerns and show commitment to customers with three significant tactics:

  • Sephora detailed what it had done as remedial measures to prevent any further data breaches (“We have cancelled all existing passwords for customer accounts and we have thoroughly reviewed our security systems.”)
  • Sephora then offered a remedy to its customers. It offered to provide a personal data monitoring service from a leading third-party provider, (Globalidworks), at no cost to the customers. This positive initiative is a gesture beyond words, a tangible and useful capability that will practically help customers be notified of any consequences to them personally from the data breach. This gesture can only help reduce some of the negative emotion that customers may feel as a result of the data breach and show Sephora as a proactive and caring organisation.
  • And thirdly, Sephora concluded their communication by making suggestions which helps to convey a symbolic ‘completion’ of the issue. These suggestions included a reminder to customers to change their passwords and providing detailed instructions on how customers can sign-up for the free personal data monitoring.

The quality and timeliness of Sephora’s response to their breach is evidence that organisations are now realising that planning to manage a data breach is best done before the breach happens.

Cyber risk grows higher every day. As well as doing everything possible to maintain the highest level of cyber security, businesses need to identify all likely cyber breach scenarios and start developing response plans in advance.

Waiting to develop a response plan after a data breach has occurred, will only magnify the negative consequences of the breach. Organisations are encouraged to build what is now referred to as their ‘cyber resilience’ capability.

Cyber resilience is the ability to prepare for, respond to and recover from a cyber-attack. Resilience is more than just preventing or responding to an attack – it also takes into account the ability to operate, adapt and recover, from such an event.

Does your organisation have a cyber resilience plan?

Response ready