Pandora, one of the world's most iconic jewellery brands, has become the latest high-profile target in a growing wave of cyber-attacks after confirming a data breach via a third-party platform. While no passwords or payment details were accessed, the breach has exposed sensitive customer information, including names, email addresses, and dates of birth.

Sign up to our daily newsletter Sign up Thank you for signing up! Did you know with a Digital Subscription to Yorkshire Evening Post, you can get unlimited access to the website including our premium content, as well as benefiting from fewer ads, loyalty rewards and much more. Learn More Sorry, there seem to be some issues. Please try again later. Submitting...

Cybersecurity expert Zain Javed, CTO at Citation Cyber, spoke exclusively about the seriousness of the attack and what it means for Pandora's customers and the broader retail sector.

"This is still a big deal," Javed says. "That exposed data is a gift to cybercriminals. It allows them to send convincing fake emails pretending to be Pandora, nudging people into clicking dodgy links or handing over card details.

Advertisement Hide Ad

Advertisement Hide Ad

This breach doesn't end with the stolen data. It starts there."

Cybersecurity

Javed warns that customers should now be on high alert for targeted phishing attacks, using the breached data to trick users into giving up even more sensitive information.

According to Javed, this wasn't a traditional brute-force hack but a clever use of social engineering.

"This wasn't a break-in through Pandora's front door; it came through the side gate. The attackers reportedly phished Salesforce credentials using vishing tactics, calling support staff, pretending to be IT, and tricking them into handing over login details and MFA codes. Classic social engineering."

Advertisement Hide Ad

Advertisement Hide Ad

Once inside the system, the hackers are believed to have extracted the customer data using malicious scripts or a tampered version of Salesforce's Data Loader. This method has been linked to a known cybercriminal group called ShinyHunters (UNC6040).

"It's a stark reminder that your cybersecurity is only as strong as your weakest vendor and your most distracted employee."

Javed lays out a clear roadmap for how Pandora and other companies using similar platforms must respond:

Lock down third-party integrations.

"Vendors must meet the same cyber standards you demand internally."

Advertisement Hide Ad

Advertisement Hide Ad

Harden identity security

"Introduce passwordless logins, enforce strict RBAC [role-based access control] policies, and restrict Salesforce app installations."

Train staff to recognise social engineering threats

"Technical firewalls won't stop someone who says, 'Hi, I'm calling from IT, can you help me reset your token?'"

Continuously monitor critical assets.

"Not just for malware, but for anomalous behaviour, like data exports that don't match the norm."

According to Javed, "A basic fix can happen overnight. A true transformation of cyber maturity? That's a 12-month journey, minimum."

Advertisement Hide Ad

Advertisement Hide Ad

Pandora's breach follows recent attacks on M&S, Co-op, Adidas, and Chanel, suggesting that even the most prominent brands aren't immune to vulnerabilities. While 58% of retail leaders rank cybersecurity as a top concern, 11% admit they are still unprepared.

Javed's final word is a warning to the industry at large: "If your data security strategy stops at the firewall, you're not secure. You're exposed."