On or around **May 12, 2025**, Tiffany & Co., a luxury jewelry retailer, suffered a **cybersecurity breach** after a threat actor ('Market Exchange') infiltrated its systems. The attack exposed **personally identifiable information (PII)** of **at least 2,590 confirmed individuals**, including names, addresses, emails, phone numbers, sales transactions, client reference numbers, and **Tiffany gift card details (with PINs)**. The actor later claimed possession of a broader database containing records of **~720,000 high-spending U.S. customers**, predominantly women. The breach was disclosed to authorities and affected individuals in **September 2025**, with notifications sent via mail. While no financial fraud was immediately reported, the exposure of **gift card PINs** and **detailed customer profiles** poses risks of **identity theft, phishing, and unauthorized transactions**. Tiffany & Co. engaged cybersecurity experts and law enforcement but did not confirm whether ransomware or additional system compromises (e.g., operational disruption) occurred. The incident highlights vulnerabilities in **customer data protection** within high-end retail.
Source: https://www.claimdepot.com/data-breach/tiffany-co-2025
TPRM report: https://www.rankiteo.com/company/tiffany-and-co
"id": "tif5392553091725",
"linkid": "tiffany-and-co",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '2,590 (confirmed); 720,000 '
'(claimed by threat actor)',
'industry': 'Luxury Retail (Jewelry)',
'location': 'United States',
'name': 'Tiffany & Co.',
'type': 'Corporation'}],
'customer_advisories': ['Review notices from Tiffany & Co.',
'Monitor for identity theft',
'Consider credit freezes/fraud alerts'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '2,590 (confirmed); 720,000 '
'(claimed)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII + financial transaction '
'data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Gift card data (numbers with '
'PINs)',
'Sales transaction records']},
'date_detected': '2025-05-12',
'date_publicly_disclosed': '2025-09-16',
'description': 'On or around May 12, 2025, Tiffany and Company, an American '
'luxury jewelry and specialty design house, experienced a '
'significant cybersecurity incident. An investigation '
'determined that a cybercriminal gained unauthorized access to '
'sensitive customer and gift card data, compromising '
'personally identifiable information (PII) of at least 2,590 '
'individuals. The exposed data included customer names, '
'addresses, email addresses, phone numbers, sales '
'transactions, internal client reference numbers, and Tiffany '
"gift card numbers with PINs. A threat actor known as 'Market "
"Exchange' claimed responsibility, alleging possession of a "
'database containing information on approximately 720,000 '
'high-spending female consumers in the U.S.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'exposure of high-profile customer data',
'data_compromised': ['Customer names',
'Addresses',
'Email addresses',
'Phone numbers',
'Sales transactions',
'Internal client reference numbers',
'Tiffany gift card numbers with PINs'],
'identity_theft_risk': 'High (PII and gift card details exposed)',
'payment_information_risk': 'Moderate (gift card numbers with PINs '
'exposed)'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': 'High-spending female '
'consumers (per threat actor '
'claim)'},
'investigation_status': 'Completed (as of 2025-09-09)',
'ransomware': {'data_exfiltration': True},
'recommendations': ['Monitor financial accounts and credit reports for signs '
'of identity theft',
'Consider placing fraud alerts or credit freezes with '
'major credit bureaus',
'Be cautious of unsolicited emails or phone calls '
'requesting personal information'],
'references': [{'source': 'Tiffany & Co. Official Website'},
{'date_accessed': '2025-09-16',
'source': "Maine Attorney General's Office Disclosure"},
{'date_accessed': '2025-07-07',
'source': "Dark Web Marketplace Posting by 'Market "
"Exchange'"}],
'regulatory_compliance': {'regulatory_notifications': [{'authority': 'Maine '
'Attorney '
"General's "
'Office',
'date': '2025-09-16'}]},
'response': {'communication_strategy': ['Mail notifications to impacted '
'individuals (sent 2025-09-16)',
'Disclosure to Maine Attorney '
"General's office (2025-09-16)"],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': 'Cybersecurity experts engaged'},
'threat_actor': 'Market Exchange',
'title': 'Tiffany & Co. Customer and Gift Card Data Breach (2025)',
'type': 'Data Breach'}