Full Report
In May, Tiffany & Co. confirmed a data breach affecting an unspecified number of customers in South Korea. Tiffany is one of LVMH Moët Hennessy Louis Vuitton’s 75 high-end brands in six different sectors. On May 26, Tiffany Korea emailed select customers to notify them of a cybersecurity breach involving unauthorized access to a vendor... Source
Analysis Summary
# Incident Report: Tiffany Gift Card Data Breach (Multiple Potential Incidents)
## Executive Summary
Tiffany & Co. disclosed a data breach impacting 2,590 individuals concerning their gift card information, identified on September 9, 2025, following an event around May 12, 2025. This is noted as the second reported security incident affecting Tiffany in recent months, following a separate May 2025 disclosure regarding unauthorized access to a vendor platform managing customer data in South Korea. The most recent breach exposed sensitive gift card details, including numbers and PINs, alongside personal information.
## Incident Details
- **Discovery Date:** September 9, 2025 (Date determination of data exfiltration for gift card breach)
- **Incident Date:** On or around May 12, 2025 (Gift Card Breach); April 8, 2025 (South Korea Vendor Breach)
- **Affected Organization:** Tiffany & Co. (an LVMH brand)
- **Sector:** Luxury Retail
- **Geography:** The gift card breach notification suggests US-based impact (Maine AG filing), while the prior breach specifically affected South Korea.
## Timeline of Events
### Initial Access
- **Date/Time:** On or around April 8, 2025 (South Korea Vendor Breach) and On or around May 12, 2025 (Gift Card Breach)
- **Vector:** Unauthorized access to a vendor platform used for managing customer data (South Korea incident). The vector for the gift card breach is unspecified but occurred around May 12th. There is speculation linking prior LVMH/Tiffany attacks to the ShinyHunters Salesforce campaign.
- **Details:** The South Korea incident involved unauthorized access to a third-party vendor platform. The May 12th incident led to the exposure of gift card-related data.
### Lateral Movement
- *Details not explicitly provided in the text for either incident.* Lateral movement may have occurred within the vendor network or subsequent access to Tiffany systems via compromised credentials/data.
### Data Exfiltration/Impact
- **South Korea Incident:** Unauthorized access to a vendor platform managing customer data occurred in April. LVMH allegedly paid 4 BTC in extortion demands related to attacks on some brands (including Tiffany/Dior).
- **Gift Card Incident (May/September):** Compromise of data related to 2,590 Tiffany gift cards. Affected data included client name, postal address, email address, phone number, sales data, internal client reference number, and Tiffany gift card number and PIN.
### Detection & Response
- **Detection:** The gift card breach was determined through investigation on September 9, 2025. The South Korea breach was disclosed to select customers via email on May 26, 2025.
- **Response Actions:** Tiffany submitted notification letters regarding the gift card breach to affected individuals and regulatory bodies (e.g., Maine Attorney General’s Office). LVMH reportedly paid 4 BTC in extortion demands following earlier related attacks.
## Attack Methodology
- **Initial Access:** Unauthorized access to a third-party vendor platform suspected; linkage to UNC6040/ShinyHunters Salesforce campaign suggested but unconfirmed for both incidents.
- **Persistence:** *Not detailed.*
- **Privilege Escalation:** *Not detailed.*
- **Defense Evasion:** *Not detailed.*
- **Credential Access:** *Not detailed.*
- **Discovery:** *Not detailed.*
- **Lateral Movement:** *Not detailed.*
- **Collection:** Targeted collection of gift card information (numbers and PINs) along with associated customer PII and sales data.
- **Exfiltration:** *Not detailed.*
- **Impact:** Financial compromise of gift card balances; exposure of PII and sensitive financial identifiers (gift card PINs).
## Impact Assessment
- **Financial:** LVMH allegedly paid 4 BTC (ransom) following earlier related threats/attacks. Direct financial costs from the gift card breach are not detailed but likely include remediation, notification, and potential liability.
- **Data Breach:** Affected 2,590 individuals regarding gift card data. Data included Name, Postal Address, Email, Phone Number, Sales Data, Client Reference Number, **Gift Card Number, and PIN.**
- **Operational:** Operational impact details are sparse, though the involvement of external vendors suggests supply chain risk realization.
- **Reputational:** Tiffany disclosed its second breach in recent months, potentially impacting consumer trust, particularly given the exposure of gift card PINs.
## Indicators of Compromise
- *Specific IoCs (URLs/IPs) were not mentioned in the source text.*
- **Behavioral indicators:** Unauthorized access on vendor platforms; execution of cyber extortion demands potentially followed by payment.
## Response Actions
- **Containment:** *Not detailed.* Implied containment measures were taken following determination on September 9th regarding the gift card exposure.
- **Eradication:** *Not detailed.*
- **Recovery actions:** Notifying affected parties and regulatory bodies about the gift card data exposure.
## Lessons Learned
- The organization experienced at least two separate security incidents within approximately one month (April/May 2025), highlighting potential systemic vulnerabilities or repeated targeting.
- Reliance on third-party vendor platforms poses a significant supply chain risk, as evidenced by the South Korea breach.
- Payment of extortion demands (4 BTC allegedly paid in connection with related attacks) does not guarantee the cessation of attacks or the protection of all data.
## Recommendations
- Immediately audit security posture and configuration of all critical third-party vendor platforms managing sensitive customer data.
- Implement rigorous controls around storing and transmitting sensitive data elements, particularly payment instruments like gift card PINs (e.g., ensuring PINs are not stored alongside card numbers if necessary).
- Review the effectiveness of current detection mechanisms, as the gift card compromise was only confirmed nearly four months after the incident date (May 12 to September 9).