In May 2025, luxury jewelry retailer Tiffany & Co. experienced a significant cybersecurity incident that led to unauthorized access to sensitive customer information. The breach, which occurred around May 12, was identified after an external cybersecurity firm conducted a thorough investigation. The findings revealed that the attackers had accessed and obtained various types of personal data, including:
– Client Names: Full names of customers.
– Postal Addresses: Residential mailing addresses.
– Email Addresses: Contact emails used for communication.
– Phone Numbers: Personal and possibly business contact numbers.
– Sales Data: Records of purchases and transaction histories.
– Internal Client Reference Numbers: Unique identifiers assigned to clients within Tiffany’s systems.
– Gift Card Information: Gift card numbers along with their associated PINs.
The exposure of gift card details is particularly concerning, as cybercriminals can exploit this information to make unauthorized purchases or resell the cards, often with minimal traceability. Additionally, the compromised personal data increases the risk of phishing attacks, where malicious actors impersonate Tiffany & Co. to extract further sensitive information from customers.
Upon discovering the breach, Tiffany & Co. promptly initiated an investigation with the assistance of external cybersecurity experts to assess the scope and impact of the incident. The company also coordinated with law enforcement authorities to address the situation comprehensively.
In communications to affected customers, Tiffany & Co. emphasized their commitment to data security, stating: We take the security of your personal information seriously and are alerting you about this issue so you can take steps to help protect your information. To date, we have no evidence of harm or further misuse of the affected data in connection with the incident.
This incident is not isolated within the luxury retail sector. Earlier in 2025, Tiffany’s South Korean branch reported a data breach linked to a third-party vendor. Similarly, other luxury brands under the Louis Vuitton Moët Hennessy (LVMH) umbrella, such as Dior, have faced comparable security challenges. Notably, just days before Tiffany’s disclosure, French conglomerate Kering, which owns brands like Gucci, Balenciaga, and Alexander McQueen, reported a breach exposing 7.4 million files of customer data.
In response to the breach, Tiffany & Co. has taken several measures to enhance the security of its systems and data. The company advises customers to remain vigilant against unsolicited communications requesting personal information or directing them to unfamiliar web pages. Customers are urged not to click on links or download attachments from suspicious emails. Additionally, Tiffany & Co. recommends that affected individuals monitor their account statements and review their credit reports for any unusual activity.
Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus. Tiffany & Co. has established a toll-free number for customers seeking further information, available Monday through Friday, 9:00 A.M. to 5:00 P.M. Eastern Time.
The luxury retail industry has increasingly become a target for cyberattacks, underscoring the importance of robust data security measures. Companies like Tiffany & Co. are continually working to strengthen their defenses to protect customer information and maintain trust.
