South Korea has fined luxury fashion brands Louis Vuitton, Christian Dior Couture, and Tiffany $25 million for failing to implement adequate security measures, which facilitated unauthorized access and the exposure of data belonging to more than 5.5 million customers.

All three brands are part of the Louis Vuitton Moët Hennessy (LVMH) group and suffered data breaches [1, 2, 3] after hackers gained access to their cloud-based customer management service.

The Personal Information Protection Commission (PIPC) in South Korea says that in the case of Louis Vuitton, an employee’s device was infected with malware, which led to compromising their software-as-a-service (SaaS) and leaking of data for 3.6 million customers.

Although the product isn’t named, Google researchers linked the campaigns to the ShinyHunters gang, who targeted Salesforce platforms. The threat actor later claimed the breach of LVMH systems.

The breaches at the three regional brands last year exposed sensitive customer data, including names, phone numbers, email addresses, postal addresses, and purchase histories.

PIPC says that Louis Vuitton had been operating the SaaS tool since 2013, but “did not restrict access rights to Internet Protocol (IP) addresses, etc., and did not apply secure authentication methods when personal information handlers accessed the service from outside.”

For failing to adequately secure access to customer data, the South Korean data protection agency imposed a $16.4 million fine on Louis Vuitton and ordered the company to announce the penalty on its business website.

At Dior, the breach occurred via a phishing attack on a customer service employee, who was tricked into granting the hacker access to the SaaS system, exposing data for 1.95 million customers.

Dior had been using the system since 2020, but didn’t implement allow-lists, didn’t place bulk data download restrictions, and failed to inspect access logs, delaying the discovery of the breach for over three months.

Additionally, Dior South Korea disclosed the breach to PIPC five days after learning about it. Under PIPA, organizations are required to notify the data protection agency within 72 hours from the time of becoming aware of a personal information leak.

Due to these violations, PIPC announced a $9.4 million financial penalty for Dior South Korea.

Tiffany was breached in a similar way, with attackers using voice phishing to trick a customer service employee into giving them access to the SaaS system. However, the impact was far lower in this case, with 4,600 clients exposed.

Similar to the other two cases, Tiffany also neglected to implement IP-based access controls and bulk data download restrictions and did not notify impacted individuals within the legally specified time frame. The brand received a $1.85 million fine.

PIPC emphasized that SaaS solutions do not exempt companies from their responsibility to securely manage client data, nor does it transfer that responsibility to the vendors of these solutions.