Tiffany & Co. Data Breach Affects Thousands of Customers

On or around May 12, 2025, Tiffany and Company, an American luxury jewelry and specialty design house, experienced a significant cybersecurity incident. An investigation was launched and on Sept. 9, 2025, it was determined that a cybercriminal gained accessed to sensitive customer and gift card data.

The data breach compromised personally identifiable information (PII) of at least 2,590 individuals. Exposed information included customer names, addresses, email addresses, phone numbers, sales transactions, internal client reference numbers and Tiffany gift card numbers with PINs.

A threat actor known as “Market Exchange” claimed responsibility for the breach, posting on a Tor-based dark web marketplace on July 7, 2025. The actor alleged possession of a Tiffany & Co. customer database containing information on approximately 720,000 high-spending female consumers in the United States.

Tiffany & Co. began notifying impacted individuals by mail on Sept. 16, 2025. The data breach was also disclosed to the Maine, Massachusetts, Montana, Vermont and New Hampshire Attorney Generals' offices between Sept. 16, 2025 and Sept. 19, 2025.

Tiffany and Company's response

Upon learning of the incident, Tiffany and Company engaged cybersecurity experts to investigate and notified law enforcement.

If you believe your personal information may have been compromised in this breach:

• Carefully review any notice or communication you receive from Tiffany & Co.
• Monitor financial accounts and credit reports for signs of identity theft.
• Consider placing fraud alerts or credit freezes with the major credit bureaus.
• Be cautious of unsolicited emails or phone calls requesting personal information.

For more information about Tiffany and Company, visit the official Tiffany & Co. website.