- Who is SEED Beauty, LLC?
ColourPop Cosmetics is an affiliate of SEED Beauty, LLC that manufactures, markets, and sells cosmetics to customers around the world from SEED Beauty’s headquarters in Oxnard, California, United States.
- What happened/how did this happen?
To process online sales, SEED Beauty uses the e-commerce platform Shopify. Shopify recently reported that two Shopify contractors installed an unauthorized application on the ColourPop Shopify store on August 24, 2020. The unauthorized application exported customer order information for approximately 86% of the records in our database. Shopify has informed us that it is not possible to determine conclusively which records were taken, and it is possible that your information was among the records exported without authorization by the Shopify contractors.
- What personal information may have been involved?
The personal information involved could have included your name, mailing or billing address, email address, phone number and information about ColourPop items purchased. Additionally, while Shopify had safeguards in place that prevented any full credit card numbers from being exported by the unauthorized application, the information could have included a bank identification number associated with your payment card (the first six digits of a payment card number) as well as the last 4 digits of your payment card number. Your ColourPop username and password were not exported.
- Why does SEED Beauty have my personal information?
We have your information because you either placed an order on the ColourPop store online or because an order someone else placed was billed or shipped to you.
- When did this happen?
On September 18, 2020, Shopify provided details to SEED about a security incident involving two Shopify contractors. Shopify reported that on August 24, 2020, an application was installed on the ColourPop Cosmetics Shopify store without approval. The application then began exporting customer order information. This export process continued through August 25, 2020, and the unapproved application was uninstalled on August 26, 2020.
- Why wasn’t I contacted sooner?
ColourPop takes the security and privacy of personal information very seriously. Following initial notice from Shopify, SEED has attempted to determine the identities of the individuals whose data was taken and their locations. It has also notified the appropriate regulators.
- Who is responsible?
Shopify reported that two of its contractors took the information. Shopify has notified law enforcement in the United States and Canada and requested that they also investigate the incident.
- What is being done to protect my information?
The unauthorized application was removed within 48 hours of its installation. Additionally, when Shopify became aware of this incident, it began an investigation with the assistance of a forensic investigator. Shopify also terminated the two Shopify contractors responsible for the data breach, suspended their access to Shopify’s systems and networks, and notified law enforcement in the United States and Canada.
- Has law enforcement been notified?
Shopify has notified law enforcement in the United States and Canada and requested that they also investigate the incident.
- Was my credit card/financial account number exposed?
Shopify had safeguards in place that prevented any full credit card numbers from being exported by the unauthorized application. The information could have included only a bank identification number associated with your payment card (the first six digits of a payment card number) as well as the last 4 digits of your payment card number.
- Does this mean I am the victim of identity theft?
We have no evidence that your information has been misused as a result of this incident. However, we encourage you to be vigilant in reviewing communications directed to an email address or phone number you have previously provided to ColourPop. If a message from ColourPop appears to be suspicious, contact us.
- I believe I have experienced fraud/identity theft related to this issue. What do I do?
To date, we are not aware of any misuse of your personal information as a result of this incident. Further, it is unlikely that the type of information involved could be used for identity theft. However, if you believe you are the victim of identity theft or have reason to believe your information has been misused, you should contact your local law enforcement authorities, credit reporting agencies, and any financial institution you believe to by involved.
- I am a ColourPop customer, why did I not receive an email notification?
ColourPop is notifying customers where required by law. We are not aware of any misuse of your personal information as a result of this incident, and it is unlikely that the type of information involved could be used for fraud or identity theft.
- Is the notice legitimate? Is this a scam?
I can assure you the notice is legitimate. Safeguarding personal information is a priority, and we take this issue very seriously.