weerapat1003 - stock.adobe.com

Shiseido data breach victims plan legal action over fake companies

Employees and former employees of cosmetics firm Shiseido whose data was stolen in a recent breach are planning group legal action after their information was used to establish fraudulent companies in their names

Employees and former employees of the UK business of Japanese cosmetics firm Shiseido who found their personal information had been exposed in a data breach are being asked to come forward to take part in a proposed group legal action against the company.

The breach took place in the spring of 2022 and was notified to the Information Commissioner’s Office (ICO) in mid-April. This was supposedly in line with reporting regulations, which require the ICO to be told of impactful breaches within 72 hours, but according to reports at the time, employees had alleged that Shiseido was aware of the incident a month earlier than that.

The data breach resulted in ID images, bank details and contact details being leaked, according to Ruby Keeler-Williams of Elysium Law, a Cheshire-based direct access barristers chambers with litigation privileges, who is spearheading the claim.

Keeler-Williams said that the data appeared to have been sold or passed to criminal groups due to its highly sensitive nature. Victims have seen their credit ratings hit and some have had bank loans taken out in their name. Even worse, around 500 individuals found that they had fraudulent companies established in their names.

“Almost all of the victims had companies set up,” Keeler-Williams told Computer Weekly. “It is very significant that individuals clearly gained access to sensitive information such as passports and ID documents, enough information to set up a company and bank accounts.

“They found out when they received documentation from Companies House requesting accounts for companies that they had no idea existed…Almost all of them have never owned a company before, they were employees – they have no experience of dealing with these matters.

“It has been quite distressing for them. Almost all of them have seen their credit scores go down. We’ve seen people applying for mortgages be turned down because of this. One lady’s mother was dying of a terminal illness during this, and this took her focus away and caused her mother some distress in her last weeks,” she said.

Although Shiseido had denied liability for the breach, it has offered those affected access to credit monitoring services through Experian. Over the summer of 2022, it sought and was granted an order in the High Court to strike more than 300 fraudulent companies from the register under sections of the Companies Act of 2006 that cover the provision of factually inaccurate information to Companies House.

Keeler-Williams said these were unusual developments given Shiseido was spending not insignificant sum of money on resolving an issue it supposedly has nothing to do with.

“It is relevant that there has been a lack of communication here from Shiseido,” she said. “While the optics look as if they have taken action to help, they have been quite dismissive or bullish. Some victims have made SARs [subject access requests under GDPR] which have gone unanswered.”

At this stage, Elysium Law is looking to commence action on behalf of those who have come forward so far – between 70 and 80 people at the time of writing. This claim is still at the pre-issue stage, but Keeler-Williams said there were various heads of loss under consideration, the most relevant being damages for the distress caused by the breach of data protection legislation.

The action will also seek to establish what Shiseido knew about the breach, what information it passed to the ICO when it disclosed the incident, and what information it had on its files for the affected employees.

Keeler-Williams said in light of allegations that Shiseido did not report the incident for over a month, the role of the ICO in the incident would be particularly relevant.

Shiseido had not responded to requests for comment at the time of publication.

Read more about data breaches

  • The August 2022 cyber attack on LastPass seems to have begat a data breach exposing customer information, according to company CEO Karim Toubba.
  • Australia’s Optus sets aside A$140m as an exceptional expense for a customer remediation programme following a massive data breach that affected 10 million customers.
  • Whistleblower calls for NatWest to pay the Information Commissioner’s Office annual data controller fee, as the personal details of 1,600 current and former NatWest customers remain under her bed.

Read more on Data breach incident management and recovery