Shiseido data breach victims plan legal action over fake companies

Employees and former employees of the UK business of Japanese cosmetics firm Shiseido who found their personal information had been exposed in a data breach are being asked to come forward to take part in a proposed group legal action against the company.

The breach took place in the spring of 2022 and was notified to the Information Commissioner’s Office (ICO) in mid-April. This was supposedly in line with reporting regulations, which require the ICO to be told of impactful breaches within 72 hours, but according to reports at the time, employees had alleged that Shiseido was aware of the incident a month earlier than that.

The data breach resulted in ID images, bank details and contact details being leaked, according to Ruby Keeler-Williams of Elysium Law, a Cheshire-based direct access barristers chambers with litigation privileges, who is spearheading the claim.

Keeler-Williams said that the data appeared to have been sold or passed to criminal groups due to its highly sensitive nature. Victims have seen their credit ratings hit and some have had bank loans taken out in their name. Even worse, around 500 individuals found that they had fraudulent companies established in their names.

“Almost all of the victims had companies set up,” Keeler-Williams told Computer Weekly. “It is very significant that individuals clearly gained access to sensitive information such as passports and ID documents, enough information to set up a company and bank accounts.

“They found out when they received documentation from Companies House requesting accounts for companies that they had no idea existed…Almost all of them have never owned a company before, they were employees – they have no experience of dealing with these matters.

“It has been quite distressing for them. Almost all of them have seen their credit scores go down. We’ve seen people applying for mortgages be turned down because of this. One lady’s mother was dying of a terminal illness during this, and this took her focus away and caused her mother some distress in her last weeks,” she said.

Although Shiseido had denied liability for the breach, it has offered those affected access to credit monitoring services through Experian. Over the summer of 2022, it sought and was granted an order in the High Court to strike more than 300 fraudulent companies from the register under sections of the Companies Act of 2006 that cover the provision of factually inaccurate information to Companies House.

Keeler-Williams said these were unusual developments given Shiseido was spending not insignificant sum of money on resolving an issue it supposedly has nothing to do with.

“It is relevant that there has been a lack of communication here from Shiseido,” she said. “While the optics look as if they have taken action to help, they have been quite dismissive or bullish. Some victims have made SARs [subject access requests under GDPR] which have gone unanswered.”

At this stage, Elysium Law is looking to commence action on behalf of those who have come forward so far – between 70 and 80 people at the time of writing. This claim is still at the pre-issue stage, but Keeler-Williams said there were various heads of loss under consideration, the most relevant being damages for the distress caused by the breach of data protection legislation.

The action will also seek to establish what Shiseido knew about the breach, what information it passed to the ICO when it disclosed the incident, and what information it had on its files for the affected employees.

Keeler-Williams said in light of allegations that Shiseido did not report the incident for over a month, the role of the ICO in the incident would be particularly relevant.

Shiseido had not responded to requests for comment at the time of publication.