Executive Summary

South Korea’s Personal Information Protection Commission (PIPC) has imposed a combined fine of approximately $25 million on the Korean subsidiaries of Louis Vuitton, Christian Dior Couture, and Tiffany for significant data breaches that exposed the personal information of more than 5.5 million customers. The breaches, which occurred between June 2025 and early 2026, were facilitated by inadequate security controls in the companies’ cloud-based customer management systems. Attackers exploited weaknesses such as the absence of IP-based access restrictions, lack of strong authentication, and insufficient monitoring of access logs. The incidents involved malware infection, phishing, and voice phishing (vishing) attacks targeting employees, resulting in unauthorized access to sensitive customer data including names, contact details, and purchase histories. The PIPC’s enforcement actions underscore that responsibility for data protection remains with the data controllers, even when using Software-as-a-Service (SaaS) platforms, and set a new precedent for regulatory expectations in the luxury retail sector. All findings and conclusions in this report are based on primary, date-verified sources, as cited in the References section.

Technical Information

The data breaches affecting Louis Vuitton, Dior, and Tiffany were the result of targeted attacks exploiting both technical and procedural weaknesses in the companies’ SaaS-based customer management environments. The attacks leveraged a combination of social engineering and malware to gain unauthorized access to sensitive customer data.

For Louis Vuitton, the initial compromise occurred when an employee’s device was infected with malware. This infection enabled attackers to harvest credentials for the company’s SaaS platform, which had been in use since 2013. The attackers subsequently accessed the platform and exfiltrated data belonging to approximately 3.6 million customers over three separate incidents between June 9 and June 13, 2025. The malware infection and subsequent credential theft are confirmed by both the PIPC and independent reporting, with Google researchers attributing the campaign to the ShinyHunters threat group, known for targeting Salesforce and similar cloud platforms. However, this attribution is based on campaign pattern analysis rather than direct technical artifacts such as malware samples or infrastructure overlap, resulting in a medium confidence level for the threat actor identification. The technical failures at Louis Vuitton included the absence of IP-based access controls, lack of secure authentication methods for remote access, and insufficient monitoring of access logs, all of which facilitated the attackers’ lateral movement and data exfiltration. The MITRE ATT&CK techniques relevant to this incident include T1566 (Phishing), T1204 (User Execution), T1555/T1556 (Credential Access), T1078 (Valid Accounts), and T1530 (Data from Cloud Storage Object) https://www.bleepingcomputer.com/news/security/louis-vuitton-dior-and-tiffany-fined-25-million-over-data-breaches/https://www.csoonline.com/article/4132308/security-remains-providers-responsibility-even-with-saas-personal-information-protection-commission-imposes-36-billion-won-in-fines-on-three-luxury-brands-korean-subsidiaries.html.

In the case of Dior, the breach was initiated through a phishing attack targeting a customer service employee. The attacker successfully tricked the employee into granting access to the SaaS system, which had been operational since 2020. This allowed the attacker to access and exfiltrate data for approximately 1.95 million customers. The company failed to implement IP allow-lists, did not restrict bulk data downloads, and neglected to review access logs, which delayed the detection of the breach for over three months. Additionally, Dior did not notify the PIPC within the required 72-hour window after discovering the breach, as mandated by the Personal Information Protection Act (PIPA). The MITRE ATT&CK techniques applicable here include T1566 (Phishing), T1598 (Phishing for Information), T1204 (User Execution), T1078 (Valid Accounts), and T1530 (Data from Cloud Storage Object) https://www.bleepingcomputer.com/news/security/louis-vuitton-dior-and-tiffany-fined-25-million-over-data-breaches/https://www.csoonline.com/article/4132308/security-remains-providers-responsibility-even-with-saas-personal-information-protection-commission-imposes-36-billion-won-in-fines-on-three-luxury-brands-korean-subsidiaries.html.

Tiffany experienced a similar breach, with attackers using voice phishing (vishing) to deceive a customer service employee into providing access to the SaaS system. The breach resulted in the exposure of personal information for approximately 4,600 customers. As with the other two brands, Tiffany failed to implement IP-based access controls, did not restrict bulk data downloads, and did not notify affected individuals or authorities within the legally mandated timeframe. The MITRE ATT&CK techniques relevant to this incident include T1598.003 (Voice Phishing), T1078 (Valid Accounts), and T1530 (Data from Cloud Storage Object) https://www.bleepingcomputer.com/news/security/louis-vuitton-dior-and-tiffany-fined-25-million-over-data-breaches/https://www.csoonline.com/article/4132308/security-remains-providers-responsibility-even-with-saas-personal-information-protection-commission-imposes-36-billion-won-in-fines-on-three-luxury-brands-korean-subsidiaries.html.

Across all three incidents, the compromised data included customer names, phone numbers, email addresses, postal addresses, purchase histories, and, in some cases, birth dates. The breaches were facilitated by a lack of basic security controls, such as IP-based access restrictions, strong authentication mechanisms (e.g., one-time passwords, digital certificates, or hardware security tokens), and bulk data download restrictions. The PIPC emphasized that the use of SaaS platforms does not absolve organizations of their responsibility to protect personal data and that all features provided by such platforms must be fully leveraged to prevent unauthorized access and data leaks.

The evidence supporting these findings is of high quality, as it is based on official regulatory disclosures, primary news reporting, and direct statements from the PIPC. Attribution to the ShinyHunters group in the Louis Vuitton case is supported by Google researcher analysis but lacks direct technical artifacts, resulting in a medium confidence level for this aspect of the investigation.

Affected Versions & Timeline

The breaches affected the Korean subsidiaries of Louis Vuitton, Christian Dior Couture, and Tiffany, all of which were using cloud-based customer management SaaS platforms at the time of the incidents. Louis Vuitton had been operating its SaaS tool since 2013, Dior since 2020, and Tiffany’s timeline is consistent with the other two brands.

The confirmed timeline of events is as follows: Between June 9 and June 13, 2025, Louis Vuitton experienced three separate breach incidents resulting in the exposure of 3.6 million customer records. The Dior and Tiffany breaches occurred in 2025, with Dior’s breach remaining undetected for over three months due to insufficient monitoring. The PIPC plenary session to decide on enforcement actions took place on February 11, 2026, with public announcements and fines disclosed on February 12, 2026. International media coverage followed on February 13, 2026 https://www.csoonline.com/article/4132308/security-remains-providers-responsibility-even-with-saas-personal-information-protection-commission-imposes-36-billion-won-in-fines-on-three-luxury-brands-korean-subsidiaries.htmlhttps://en.yna.co.kr/view/AEN20260212003051315.

Threat Activity

The threat activity observed in these incidents demonstrates a clear pattern of targeting employees through social engineering and exploiting weak access controls in SaaS environments. In the Louis Vuitton case, the initial infection vector was malware, likely delivered via phishing, which enabled attackers to steal SaaS credentials and access customer data. The campaign was linked by Google researchers to the ShinyHunters group, which has a history of targeting cloud-based platforms, although this attribution is based on campaign similarities rather than direct technical evidence.

For Dior and Tiffany, attackers used phishing and vishing techniques to deceive customer service employees into granting access to internal systems. Once access was obtained, the attackers exploited the lack of IP-based restrictions and bulk data download controls to exfiltrate large volumes of customer data. The absence of regular access log reviews and delayed breach notifications further exacerbated the impact of these incidents.

The compromised data included names, phone numbers, email addresses, postal addresses, purchase histories, and birth dates. The attackers’ ability to move laterally within the SaaS environments and extract sensitive information was facilitated by the companies’ failure to implement least-privilege access, strong authentication, and monitoring controls. The PIPC’s investigation confirmed that these failures constituted violations of the Personal Information Protection Act (PIPA) and warranted significant financial penalties.

The evidence for these threat activities is robust, with confirmation from regulatory findings, primary news sources, and direct statements from the PIPC. The technical details of the attacks align with known tactics, techniques, and procedures (TTPs) used by threat actors targeting SaaS and cloud environments.

Mitigation & Workarounds

The following mitigation strategies are prioritized by severity, based on the confirmed failures and regulatory findings in these incidents:

Critical: Organizations must implement IP-based access controls for all SaaS and cloud-based customer management systems. This restricts access to authorized networks and significantly reduces the risk of unauthorized external access.

Critical: Strong authentication mechanisms, such as multi-factor authentication (MFA) using one-time passwords, digital certificates, or hardware security tokens, must be enforced for all users accessing sensitive data or administrative functions within SaaS platforms.

High: Regular review and monitoring of access logs are essential to detect unauthorized or anomalous activity. Automated alerts should be configured for unusual access patterns, such as bulk data downloads or logins from unfamiliar locations.

High: Bulk data download restrictions should be applied to prevent mass exfiltration of customer data. Access to export or download large datasets should be limited to authorized personnel and require additional approval or authentication.

Medium: Employee training and awareness programs should be enhanced to address the risks of phishing and vishing attacks. Simulated phishing exercises and clear reporting procedures can help reduce the likelihood of successful social engineering attacks.

Medium: Incident response and breach notification procedures must be reviewed and updated to ensure compliance with regulatory requirements, including the 72-hour notification window mandated by PIPA.

Low: Periodic third-party security assessments and penetration testing of SaaS environments can help identify and remediate vulnerabilities before they are exploited by attackers.

These mitigation measures are directly supported by the PIPC’s findings and are consistent with best practices for securing SaaS and cloud-based customer management systems https://www.csoonline.com/article/4132308/security-remains-providers-responsibility-even-with-saas-personal-information-protection-commission-imposes-36-billion-won-in-fines-on-three-luxury-brands-korean-subsidiaries.html.

References

https://www.bleepingcomputer.com/news/security/louis-vuitton-dior-and-tiffany-fined-25-million-over-data-breaches/ (February 13, 2026)

https://www.csoonline.com/article/4132308/security-remains-providers-responsibility-even-with-saas-personal-information-protection-commission-imposes-36-billion-won-in-fines-on-three-luxury-brands-korean-subsidiaries.html (February 13, 2026)

https://en.yna.co.kr/view/AEN20260212003051315 (February 12, 2026)

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor security risks in their vendor and partner ecosystems. Our platform enables continuous evaluation of SaaS and cloud service providers, supports the implementation of access controls and authentication best practices, and facilitates compliance with regulatory requirements for data protection and breach notification. For questions or further information, please contact us at ops@rescana.com.