Pandora Confirms Data Breach Amid Salesforce Attacks

News Analysis: Pandora Discloses Data Breach After Salesforce Attacks

Danish jewelry giant Pandora has disclosed a data breach after its customer information was stolen in an ongoing wave of attacks targeting companies’ Salesforce databases. The breach, which was first reported by Forbes and confirmed by Pandora, saw an “unauthorized party” access customer names, birthdates, and email addresses through a third-party platform. Pandora has since stated that it has “further strengthened [its] security measures.”

While Pandora did not name the platform, reports from BleepingComputer have confirmed the data was stolen from the company’s Salesforce database. The notorious threat actor group ShinyHunters has claimed responsibility for these attacks, which have also affected other major brands like Adidas, Qantas, and LVMH subsidiaries. The group’s tactic is to use “double extortion” by first exfiltrating the data and then demanding a ransom to prevent it from being leaked or sold. This incident is a prime example of the growing trend of sophisticated supply chain attacks that exploit a shared vendor to compromise multiple clients.

Key Insights into the Pandora Data Compromise

This data breach carries several critical implications:

• Sophisticated Social Engineering Attack Vector: The attack was not a result of a direct vulnerability in Salesforce’s platform. Instead, threat actors used highly sophisticated social engineering and phishing campaigns to steal Salesforce credentials or trick employees into authorizing malicious applications. This highlights the human element as a key vulnerability in cybersecurity and underscores the importance of employee awareness and robust authentication controls.
• Significant Legal and Regulatory Obligations: As a Danish company, Pandora is subject to the General Data Protection Regulation (GDPR). The company would have a strict legal obligation to notify the Danish Data Protection Agency (Datatilsynet) within 72 hours of becoming aware of the breach. Failure to comply could result in severe penalties, with fines reaching up to €20 million or 4% of a company’s global annual turnover, whichever is higher, for severe violations.
• Supply Chain Risk and Reputational Damage: The attack on a third-party vendor like Salesforce creates a significant supply chain risk. A breach of a shared platform can have a cascading effect, compromising the data of multiple clients simultaneously. For Pandora, a brand that has built its reputation on trust and quality, a data breach involving customer information can severely damage its reputation and erode customer confidence, leading to long-term financial and brand harm.
• The ShinyHunters Extortion Tactic: The threat actor group ShinyHunters is a known entity that has been involved in numerous data breaches and extortion schemes, including the 2024 Snowflake data-theft attacks that compromised the data of major companies like Ticketmaster and Santander Bank. The group’s tactic is to privately extort companies and then publicly leak the data of those who do not pay. This puts a company in a difficult position of either paying a ransom or facing a public data leak.

Critical Mitigation Strategies for Companies and Individuals

In response to this attack, immediate and robust mitigation efforts are essential:

• Enhanced Third-Party and Cloud Security: All companies, especially those that use third-party platforms like Salesforce, must have a strong security posture. This includes enforcing the principle of least privilege, conducting regular security audits of all connected applications, and implementing robust access controls.
• Mandatory MFA and User Training: Organizations must enforce Multi-Factor Authentication (MFA) for all user accounts, especially those with privileged access to sensitive platforms like Salesforce. It is also critical to conduct ongoing security awareness training for all employees, with a focus on identifying and resisting sophisticated phishing and social engineering attacks.
• Review and Harden Incident Response Plan: Companies should review and update their incident response plans to address data breaches stemming from third-party vendor attacks. This plan should include a clear communication strategy for notifying affected customers and regulatory authorities, as required by law.
• Proactive Monitoring for Compromised Credentials: Companies should use advanced threat intelligence services to monitor for compromised credentials associated with their employees and systems on the dark web and other hacker forums. This proactive monitoring allows for a faster response and can prevent unauthorized access before it leads to a full-scale breach.

Need Further Assistance?

If you have any further questions regarding this critical incident, suspect your personal data or your organization’s sensitive information may be compromised, or require advanced cyber threat intelligence and dark web monitoring services, you are encouraged to use the ‘Ask to Analyst’ feature to consult with a real expert, contact Brinztech directly, or, if you find the information irrelevant, open a support ticket for additional assistance.