Luxury Brands Hit with $25 Million Fine in South Korea Over Data Breaches
South Korea’s Personal Information Protection Commission (PIPC) has levied a combined $25 million in fines against Louis Vuitton, Christian Dior Couture and Tiffany & Co. For failing to adequately protect customer data, resulting in breaches that exposed the personal information of over 5.5 million individuals. The penalties underscore a growing global focus on data security, particularly for companies handling sensitive customer information through cloud-based services.
The breaches, which occurred last year, all stemmed from vulnerabilities in the companies’ use of Software-as-a-Service (SaaS) customer management platforms. According to the PIPC, the luxury brands, all subsidiaries of LVMH, did not implement sufficient security measures to prevent unauthorized access to customer data, including names, phone numbers, email addresses, postal addresses, and purchase histories.
Louis Vuitton Faces Largest Penalty
Louis Vuitton Korea received the largest fine, totaling $16.4 million, after a malware infection on an employee’s device compromised its SaaS system. The breach exposed the data of approximately 3.6 million customers across three separate incidents between and . The PIPC found that Louis Vuitton had been utilizing the SaaS tool since but failed to implement basic security protocols, such as restricting access based on Internet Protocol (IP) addresses or employing strong authentication methods for remote access.
Google researchers have linked the attacks to the ShinyHunters hacking group, known for targeting Salesforce platforms. ShinyHunters later claimed responsibility for breaching LVMH systems, indicating a sophisticated and targeted campaign.
Dior’s Breach Resulted from Phishing Attack and Delayed Discovery
Christian Dior Couture Korea was fined $9.4 million after a customer service employee fell victim to a phishing attack, granting a hacker access to the company’s SaaS system. This breach compromised the data of 1.95 million customers. The PIPC noted that Dior had been using the system since but lacked critical security measures, including allow-lists to restrict access, limitations on bulk data downloads, and consistent monitoring of access logs. The delayed implementation of these controls resulted in the breach remaining undetected for over three months.
Dior South Korea was criticized for notifying the PIPC five days after discovering the breach, violating the Personal Information Protection Act (PIPA) which requires notification within 72 hours of becoming aware of a data leak.
Tiffany’s Vulnerability Exploited Through Voice Phishing
Tiffany Korea received a $1.85 million fine after attackers used voice phishing (vishing) to trick a customer service employee into providing access to the SaaS system. While the impact was smaller, affecting approximately 4,600 customers, the PIPC found similar security deficiencies – a lack of IP-based access controls and restrictions on bulk data downloads – as well as a delay in notifying affected individuals.
SaaS Doesn’t Exempt Companies from Data Security Responsibility
The PIPC emphasized that utilizing SaaS solutions does not absolve companies of their responsibility to protect customer data. The commission explicitly stated that the responsibility for data security remains with the companies themselves, and cannot be delegated to the SaaS vendor. This ruling sets a precedent for holding organizations accountable for the security of their data, even when it is stored and processed by third-party providers.
This case highlights the increasing risks associated with cloud-based customer management systems and the importance of robust security measures, including multi-factor authentication, access controls, and regular security audits. The fines serve as a stark warning to other companies operating in South Korea – and globally – to prioritize data security and comply with evolving data protection regulations. The incident also underscores the continued effectiveness of social engineering attacks, such as phishing and vishing, as a means of gaining unauthorized access to sensitive systems.
