Sephora’s fined $1.2 million for data breach and misuse

A lot of news has been circulating that one of the largest cosmetic manufacturers, Sephora, has suffered from data breaches to paying large fines regarding data usage and safety. The latest issue surfacing has been the lawsuit brought under the California Consumer Privacy Act (CCPA), which led to a million fine to settle for the wrong usage of customer data without the consent and knowledge of the customer upon these actions.

The California Consumer Privacy Act (CCPA) is responsible for ensuring the law, which states that Californian consumers are entitled to know what information a business can collect, how they can use it, and the option to delete the data a company collected from them.

Due to these events, the world’s leading cosmetics and beauty products manufacturer will pay a fine of $1.2 million to settle claims with a California district court. The issue is reported to have started due to Sephora’s failure to inform their customers of using their personal information with third-party vendors. Sephora allegedly failed to tell users that the company sold personal data collected on its website through the usage of cookies and did not process requests to opt-out of sales through privacy controls set by users. The company allowed third-party vendors such as advertising, marketing, and data analytics firms to buy and access the costumer’s data and their online activities for their benefit.

The court was informed of the following:

“Consumers are constantly tracked when they go online. Sephora, like many online retailers, installs third-party companies’ tracking software on its website and in its app so that these third parties can monitor consumers as they shop. Third parties track all types of data; in Sephora’s case, third parties can track whether a consumer is using a MacBook or a Dell, the brand of eyeliner that a consumer puts in their “shopping cart,” and even the precise location of the consumer.”

“…This data about consumers is frequently kept by companies and used for the benefit of other businesses, without the knowledge or consent of the consumer.”

However, despite all the accusations, Sephora responded that they had not violated the law. They claimed that the company respects the customer’s privacy and aims to be transparent about how the user’s personal data is used.

sephora data leak
sephora data leak on 2019

“Sephora was not the target or victim of a data breach, and this agreement with the California Office of the Attorney General (“OAG”) does not constitute an admission of liability or fault by Sephora.” was stated by Sephora executives.

They have stated furthermore that the company uses its data strictly for Sephora experiences and that the CCPA doesn’t define SALE in its conventional sense. However, despite these allegations, the settlement agreement stands to be the payment of the fine, which is yet to be concluded. Consumers can opt-out of this by “CA- Do Not Sell My Personal Information. The link is available on the Sephora website footer, the company said.

Not the first cybersecurity incidentSephora

In 2019 Sephora suffered a massive data leak of the personal information of its users and unfortunately failed to inform its users of the issue. The VPN overview security team discovered a significant data breach affecting the customers of cosmetics giant Sephora. The group, led by cybersecurity researcher Aaron Phillips, confirmed that the violation contains the personally identifiable information (PII) of nearly half a million shoppers. The affected users were members of a Sephora rewards program of 2019. The data was leaked when Sephora exported information from their database and stored it on the Amazon cloud. It was reported that more than 490.000 people suffered from the data leak impact. Some of the information exposed were: full names, email addresses, account numbers and encrypted passwords, card numbers, phone numbers, specific preferences of users, and Sephora’s reward points.

The company, since then, has taken measures such as canceling all existing passwords for accounts customers and reviewing the security systems. But despite the events, the customers’ faith in the brand is much more significant since the business continuance remains the same. One piece of advice we can provide based on the types of information potentially exposed, Sephora customers should also take some additional steps to defend themselves against identity thieves and always watch out for data agreement policies or privacy policies on official websites.

Kristi Shehu is a Cyber Security Engineer (Application Security) and Cyber Journalist based in Albania. She lives and breathes technology, specializing in crafting content on cyber news and the latest security trends, all through the eyes of a cyber professional. Kristi is passionate about sharing her thoughts and opinions on the exciting world of cyber security, from breakthrough emerging technologies to dynamic startups across the globe.