In this week’s bulletin, Charlie discusses the recent Pandora cyber attack and gives an insight into the lessons we can learn from the incident.

A couple of events have inspired the bulletin this week. Firstly, my wife, Kim, received an email from Pandora, the jewellery company, informing her of a data breach. This resonated with me because it is my daughters’ birthdays soon, and we had bought them Pandora charms from Aruba as a birthday present. They don’t read my bulletins, so I don’t think they will need to be warned before receiving the gift. Secondly, I am delivering my cyber course next week, and I always like to include recent incidents as part of the course and ensure I update it regularly, as the cyber world is constantly evolving.

The basic facts of the incident are as follows:

• Pandora A/S, the Danish jewellery manufacturer founded in 1982, is the world’s largest jewellery brand with over 31 billion Danish kroner in revenue and a global network of around 2,700 stores across more than 100 countries. On the 5th-6th August 2025, the company confirmed a significant data breach affecting customer information accessed through a third-party platform. This was the email that my wife received.
• The information in the email said that the data compromised was customer names, birth dates, and email addresses, but did not expose passwords, financial information, or payment data. Pandora said that it notified affected customers and strengthened its security measures, advising customers to look out for possible phishing emails looking like they have come from Pandora. The company has found no evidence that the stolen data has been publicly shared or misused.

These are the lessons I believe we should take away from this incident:

1. Vulnerability of third-party platforms

According to Bleeping Computer, the breach occurred on their Salesforce platform, and that is where the data was exfiltrated from. The platform was not hacked directly, but the hackers were able to use Pandora staff member’s credentials to access the platform and exfiltrate the data. Having used the Salesforce platform, the export of names and email details is a fairly standard request of the platform, as marketers could use these details to send out emails or newsletters. There have been a number of recent hacks where the data is alleged to have compromised access from third parties. These have included: Qantas, Allianz Life, LVMH, and Adidas. Salesforce has been robust in the defence of its security, and it is the configuration of the platform by the people who use the system which is the issue. Salesforce is a large multinational company which can afford world-class security, but I wonder about all the other more niche and industry-specific Software as a Service (SaaS) providers who are much smaller and not so rich, how good is their security? It is difficult to tell how good a SaaS provider’s security is without lots of time and effort. Sometimes the buyer of the SaaS platform is not someone from IT, but a department who has an IT need, and the SaaS provider delivers what they require, so they go to the provider directly without consulting the organisation’s IT department.

2. Vishing the new phishing

Ringing up pretending to be the organisation’s help desk and then getting the user to run a script, give control of their computer, or even just hand over their username and password, is a tried and tested means of hackers gaining access to systems. In the articles I read on the hack, vishing was used, and there was speculation of the various ways Salesforce can be accessed to exfiltrate data. IT departments conduct lots of phishing exercises to try and educate their users, but are they doing the same with vishing?

3. Stealthy data exfiltration

Darren Williams, founder and CEO of BlackFog, said: “This incident reflects the clear shift in ransomware tactics toward stealthy data exfiltration. Rather than immediate disruption, attackers are quietly harvesting sensitive information to power extortion schemes, identity fraud and dark web trade, damage that often continues long after the initial compromise.”. So, with this type of attack, there is no ransomware deployed and therefore no impact on operations, and the hacker relies on extortion through threatening to release the data.

4. The importance of ‘common data‘

 In the Pandora email to Kim, they have tried to down play the data loss by saying “Only very common types of data were copied by the attacker, specifically name, birth date, and email address. We’d like to stress that no passwords, credit card details or similar confidential data were involved in this incident”. Name, birth date, and email address are all you need to start a phishing or a spear-phishing campaign, so I think Pandora playing down the importance of this data is disingenuous and shows a bit of naivety about how hackers use data.

5. The leaking of data

In the email, Pandora said that “We have carried out extensive checks and to date we cannot see any evidence that this data has been shared or published”. I think it shows good practice that they have searched the dark web and data dump sites for their data, but it doesn’t mean that the data is not being used for nefarious purposes. Sometimes data is sold on to other groups directly which they will then use for their own hacks, or the attackers may be biding their time and negotiating with Pandora to pay a ransom, and that is why they have not yet released the data. Just because the data is not available now, it does not mean it may not be available in the future.

6. The attacking group

According to Bleeping Computer, ShinyHunters are the group behind the attack. I have noticed most organisations in their communications don’t give the attackers’ name. Pandora is likely to know the name as they most likely have received a ransom demand. Once you have received a ransom demand, through the use of threat intelligence, you can understand the modus operandi of the attackers.

7. Proactive communications

The attack seemed to have occurred earlier in the week and a couple of days before Pandora sent out the email. I am impressed that they managed to get the communications out so quickly. Often organisations will take weeks to get a message out to all those affected after they have initially announced the attack. I did notice that in the email they gave a link to their website, which contains no further information on the incident. They are pursuing a low-profile strategy with nothing on the front of their website or even buried in the back layers of it. I suspect, like many other organisations, they just want the issue to go away and continue to run a profitable business.

I believe this case study doesn’t reveal much beyond the attackers continuing to use new types of attacks or techniques. But I do think we need to look again at the security around our SaaS use, and ensure the security is not week, and confirm that our staff has been trained to recognise vishing attacks.