Recently, the South Korean authority responsible for protecting personal data imposed millionaire fines on three luxury brands in the LVMH group: Louis Vuitton, Christian Dior Couture and Tiffany. The total sanction exceeds $25 million and responds to vulnerabilities in cloud service management that allowed attackers to access information from millions of customers in the region.
The case is paradigmatic of how an operational weakness - not a magical failure of the supplier - can turn a cloud service into a mass exposure path. According to research by the Personal Information Protection Commission (PIPC) of South Korea, in the incident concerning Louis Vuitton a team of an employee was infected by malware; that access compromised the SaaS service used to manage customers and resulted in the leak of data from approximately 3.6 million people. The PIP has published its resolution detailing these conclusions, including the deficiencies in access and authentication controls: PICP official document.
In Dior's case, the intrusion occurred after a phishing attack directed at a customer care employee, who unknowingly granted privileges to the attacker to enter the same SaaS system. This maneuver exposed personal data of about 1.95 million people and the investigation showed that the company had been using the tool since 2020 without applying IP limitations, without controls that restricted mass downloads and without actively reviewing access records - factors that delayed the detection of the incident for more than three months. Dior was fined by the PIPC with 9.4 million dollars and was also rectified to have delayed official notification: under Korean law organizations must report a data leak within 72 hours of the incident.
Tiffany suffered a similar attack in which the attackers resorted to voice deception (vishing) to manipulate an employee and gain access. Although the volume of information affected was much lower - around 4,600 customers - the authority noted the same shortcomings: lack of IP-based controls, lack of limitations on mass downloads and delays in communication to the people concerned. The fine was $1.85 million.
Regulators highlight a point that is often misinterpreted: using a SaaS service does not transfer the responsibility to protect data to the supplier. The company that manages the relationship with the customers maintains the legal and operational obligation to secure such data, implement robust authentication, apply less privileged principles and audit regularly. This was highlighted by the PIPC in its statement and in the penalty applied to the three brands.
The research also mentioned the possible relationship between campaigns that affected these brands and criminal groups previously linked to data leaks on cloud platforms. Independent cyber security reports have associated bands like ShinyHunters with operations aimed at commercial cloud services, adding context to the tactics and profile of the attackers: credentials theft, exploitation of compromised sessions and mass downloads of information. To read a summary of international coverage of sanctions and the background, this press release provides an overview: Reuters report and the regional environment Chosun Ilbo also covered the local details.
Beyond names and figures, this episode offers practical lessons for any organization that treats personal data. The threat is not only technical: it combines social engineering with failures in internal policies and monitoring procedures. Measures such as multifactor authentication, lists of allowed IP addresses, data export limits, access segmentation and continuous log monitoring they are no longer recommendations to become basic requirements if the attack surface is to be reduced.
The human part is also key: continuous training for employees who serve customers, verification of identities in sensitive interactions and clear protocols to react and report incidents can make the difference between a contained failure and a mass exposure that results in sanctions, loss of confidence and long-lasting reputational damage.
For luxury brands, whose commercial value is closely linked to the confidence of their customers, the fine is not just an economic cost. It is a call for attention to the need to invest in data governance and operational controls, even when information is housed on platforms managed by third parties. The legal and ethical responsibility to protect information remains with the person who collects and uses it.
If you want to read the full resolution of the Korean authority or consult the international press releases, here are the sources consulted: the resolution of the PIPC ( PIPC), Reuters' coverage of fines ( Reuters) and the regional report on Chosun Ilbo.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...