South Korea’s privacy regulator recently fined several LVMH-owned luxury brands a combined $25 million following significant data breaches that exposed millions of customers. The largest individual penalties were issued to Louis Vuitton and Dior after hackers exploited internal security vulnerabilities and social engineering tactics to access sensitive information.
South Korea’s Personal Information Protection Commission recently penalized several high-end luxury brands following a massive security breach that compromised the data of millions. The fines, which totaled approximately $25 million, targeted Louis Vuitton, Dior, and Tiffany. These brands are all subsidiaries of the French luxury conglomerate LVMH. The regulator found that the companies failed to maintain adequate cybersecurity protocols, leading to the unauthorized exposure of personal information.
The investigation revealed that the brands suffered from distinct security failures. Louis Vuitton faced a $15 million fine after malware infected employee devices, resulting in the compromise of data belonging to 3.6 million people. Dior was ordered to pay over $8.4 million because a voice phishing attack led to the exposure of 1.95 million individual records. Tiffany was also hit with a $1.6 million fine after a similar phishing scheme compromised the details of several thousand customers.
According to the commission, these breaches were linked to an intrusion on a third-party software-as-a-service platform. While the regulator did not officially name the service, reports indicate that the brands were victims of a broader campaign targeting Salesforce customers. The hackers did not exploit technical flaws in the platform itself but instead focused on human error and social engineering to gain entry into the corporate environments.
The group responsible for the campaign has been identified as the Scattered LAPSUS$ Hunters. This extortion group successfully harvested millions of data records by tricking employees into providing access to their accounts. By using social engineering rather than traditional software exploits, the attackers were able to bypass complex security measures and navigate the internal Salesforce instances of dozens of major organizations worldwide.
LVMH has not yet issued a formal public response regarding the specific findings or the multi-million dollar penalties. The incident serves as a significant reminder of the risks posed by social engineering and the high cost of regulatory non-compliance in South Korea. Cybersecurity experts continue to monitor the situation as more details emerge regarding the full extent of the data compromised during the various phishing attacks.
Source: Dior, Louis Vuitton, Tiffany Fined $25M In South Korea After Data Breaches