High-end jewelry retailer Tiffany & Co. has begun notifying customers in the United States and Canada about a data breach that compromised their personal information. The breach, which occurred on or around May 12, 2025, involved an unauthorized third party gaining access to the company’s systems. This security incident has prompted Tiffany to alert impacted individuals about the theft of their data and the potential risks they now face.
An internal investigation into the breach revealed that the attacker successfully obtained sensitive customer information related to Tiffany gift cards. The stolen data includes an individual’s name, email address, postal address, phone number, and sales data. Additionally, the hackers also accessed gift card numbers and their corresponding PINs, raising concerns about potential fraudulent use. Tiffany & Co. is taking this matter seriously and is working to mitigate any further risks to its customers.
The company has formally reported the incident to the Maine Attorney General’s Office, stating that more than 2,500 individuals have been affected by the data breach. However, it remains unclear if this figure includes the number of affected Canadian customers, as this information was not specified in the disclosure. The scope of the breach is still being determined, and Tiffany is continuing its investigation to understand the full extent of the compromised data.
The incident comes amidst a series of cyberattacks targeting several brands under the French luxury conglomerate LVMH, which also owns Louis Vuitton and Dior. These brands were recently impacted by a campaign conducted by the cybercrime group Scattered Spider, which targeted data from the Salesforce instances of many major companies. Although the Tiffany breach occurred during this period, it is not yet clear whether the two incidents are related or if the jewelry retailer’s breach is a separate, unrelated intrusion.
It is worth noting that Tiffany’s disclosure mentions that the hackers accessed its own systems, with no mention of a third-party service like Salesforce, which was the focus of the Scattered Spider attacks. While this distinction may suggest the incidents are unrelated, investigations are still underway to confirm this. No known ransomware group has publicly claimed responsibility for the attack on Tiffany & Co. to date.
Reference:
