Confirms “some customer information” was potentially accessed via third party platform.
The jewellery retailer Pandora has notified customers about a cybersecurity attack and data breach.
In an email sent to potentially impacted customers on Tuesday, the company confirmed that the cyber-attack was on an unnamed third-party platform that Pandora uses. It confirmed that “some customer information” was potentially accessed through it, but its core internal systems were not affected.
While Pandora has not shared the name of the third-party platform, BleepingComputer claimed the data was stolen from the company's Salesforce database.
Pandora said that the cyber-attack had already been stopped, and according to Cybernews, the company has strengthened its security measures and only “very common types of data were copied by the attacker.”
Darren Williams, founder and CEO of BlackFog, said: “The Pandora data breach is a stark reminder that retailers remain prime targets for cyber-criminals. Pandora now joins the growing list of high‑profile victims, including Marks & Spencer, Co‑op, and Harrods, highlighting how attackers are relentlessly targeting customer data across the retail sector.”
Common Data
Jon Tamplin, head of security at ThreatAware, said that while the statement might have said that “only very common types of data” have been stolen; names and email addresses are exactly what attackers need to carry out phishing attacks.
“Pandora confirmed that the breach was the result of attackers gaining access third-party platform. This is a common trend we see by attackers when targeting large organisations, especially retailers who are dependent on these providers to carry out day-to-day operations,” he said.
“With so many attacks against retailers, this indicates a wider issue: the security basics are not being followed. The fundamentals of security such as visibility of all endpoints, strong cyber hygiene, and robust user validation are not optional when it comes to keeping personal information safe.”
Common Weak Link
Mark Weir, regional director of UK and Ireland at Check Point Software, said, "The attack came via a third-party platform – a common weak link in retail ecosystems. These integrations often lack visibility, yet when they’re breached, there’s no guarantee all affected customers will be told.
Pandora’s customer response was vague and light on detail. The ICO requires notification within 72 hours of becoming aware of a breach, yet there’s no timeline or clarity on when authorities were informed. Customers were directed to a generic help page, not specific guidance. Clearer communication and stronger signposting to cyber support, such as the NCSC, should be standard.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
