Exclusive: Former Shiseido staff say company was aware of data breach weeks before official notice

Shiseido Company logo seen displayed on a smartphone

Management at cosmetics firm Shiseido was allegedly aware of a data breach on company systems weeks before officially reporting the incident to the Information Commissioner’s Office (ICO), according to former employees.

The UK data regulator told IT Pro that the Japanese cosmetics giant first reported “an incident” on 11 April, as per reporting rules that require a company to report any incidents to the ICO no later than 72 hours after first discovery.

However, two former Shiseido employees have told IT Pro that the company had been made aware of the data breach as early as 17 March, following multiple reports of employees having their identities stolen.

One of the victims, former business manager for Shiseido subsidiary NARS Cosmetics, Faye Hopping, detailed how she became aware of her personal details, including a scan of her photo ID, being used to set up a fraudulent company in her name:

“My postman intercepted a letter from Companies House towards the end of March which went to my old property. Luckily he did, or I would have been completely unaware that a company had been established in my name as director! The company was set up from 14/3/22 so I’m not sure when my details would have been breached,” she told IT Pro.

After “emailing countless people within Shiseido”, Hopping was only formally contacted by the company on 19 April with an offer to provide a 12 month subscription to Experian credit and web monitoring services.

Hopping described the offer as “bit late considering most of us were advised to join Experian & Cifas when we reported the incident to the fraud crime [police]”.

In the same correspondence dated 19 April, the cosmetics giant denied responsibility for the data breach, stating that “there is no evidence that the information has come from Shiseido”.

This is despite the list of victims reportedly including “hundreds” of former and current employees of Shiseido and its subsidiary brands, according to employee reports.

The company has refused to accept liability "as [the breach] could have come from a third party or even HMRC", another former employee who had a fake company set up in their name told IT Pro.

Having received a letter from Companies House in the first week of March congratulating them on becoming a company director, the former employee, who wishes to remain anonymous, promptly notified Action Fraud. However, they didn't find out about the breach until 7 April, when a former co-worker mentioned that they had "attended a Teams Q&A that day about a possible data breach".

"She [the co-worker] was told the company are not accepting liability and therefore had no intention of contacting former colleagues. I also found out that they sent out an email on the 17th March so they were aware of the breach at this point," the former employee said in an email to IT Pro.

"I have since sent four emails to Shiseido HR and Legal [department] but have yet to have a response. They sent out a scripted email on Thursday, 14 April from a new email address they set up specifically for the data breach and I forwarded all emails I’d previously sent to this email address but I have still yet to hear back from them. I have sent a subject of access request and a formal complaint to them but they haven’t responded," she added.

Hopping told IT Pro that she was in contact with 23 former colleagues who had also been affected, adding that “it’s disgusting how this whole incident has been handled".

Shiseido didn’t reply to IT Pro’s multiple requests for comment.

Under GDPR, companies have up to 72 hours to inform the ICO of any data incident, provided its clear the breach poses a risk to the rights and freedoms of data subjects. If the incident is likely to create significant risk, companies are also required to inform employees without undue delay.

If a company is found to have breached this rule without justification for a delay, they can be liable for a fine of up to £10 million or 2% of global turnover, whichever is higher.

Sabina Weston

Having only graduated from City University in 2019, Sabina has already demonstrated her abilities as a keen writer and effective journalist. Currently a content writer for Drapers, Sabina spent a number of years writing for ITPro, specialising in networking and telecommunications, as well as charting the efforts of technology companies to improve their inclusion and diversity strategies, a topic close to her heart.

Sabina has also held a number of editorial roles at Harper's Bazaar, Cube Collective, and HighClouds.