Executive Summary

South Korea’s Personal Information Protection Commission (PIPC) has imposed a combined fine of approximately KRW 36 billion (US$25 million) on the Korean subsidiaries of Louis Vuitton, Christian Dior Couture, and Tiffany following significant data breaches that exposed the personal information of over 5.5 million customers. The breaches, which occurred between June and September 2025, were facilitated by inadequate security controls in the companies’ cloud-based customer management systems, specifically their use of Software-as-a-Service (SaaS) platforms. Attackers exploited weak authentication, lack of IP-based access restrictions, and insufficient monitoring, using both malware and social engineering (vishing) to gain unauthorized access. The PIPC’s investigation found that all three companies failed to meet statutory requirements for data protection and timely breach notification under South Korea’s Personal Information Protection Act (PIPA). The incidents highlight the critical importance of robust SaaS security controls and regulatory compliance in the luxury retail sector. All information in this summary is directly supported by the cited sources below.

Technical Information

The breaches affecting Louis Vuitton Korea, Christian Dior Couture Korea, and Tiffany Korea were executed through a combination of malware-based credential theft and advanced social engineering, specifically vishing (voice phishing). The attackers targeted the companies’ SaaS-based customer management platforms, which were used to store and process sensitive customer data, including names, phone numbers, email addresses, postal addresses, and purchase histories.

In the case of Louis Vuitton Korea, the initial compromise occurred when an employee’s device was infected with malware. This malware enabled the attackers to harvest valid SaaS account credentials, which were then used to access the cloud-based customer management system. The attackers exploited the absence of IP-based access restrictions and the lack of strong authentication mechanisms, such as multi-factor authentication (MFA), to move laterally within the environment and exfiltrate data. The breach resulted in the exposure of personal data for approximately 3.6 million individuals across three separate incidents between June 9 and June 13, 2025. The company had been using the SaaS platform since 2013 but had not implemented key security controls, including IP allow-listing and regular access log reviews. (https://www.csoonline.com/article/4132308/security-remains-providers-responsibility-even-with-saas-personal-information-protection-commission-imposes-36-billion-won-in-fines-on-three-luxury-brands-korean-subsidiaries.html)

For Christian Dior Couture Korea, the breach was initiated through a vishing attack. A customer service representative was deceived by an attacker impersonating IT support, who convinced the employee to provision SaaS access directly to the attacker. Once inside, the attacker exploited the lack of IP-based access controls, absence of restrictions on bulk data exports, and the failure to conduct monthly access log reviews. This allowed the breach to go undetected for over three months, ultimately exposing the personal data of approximately 1.95 million individuals. Dior also failed to notify authorities and affected individuals within the 72-hour window required by PIPA, instead disclosing the breach five days after discovery. (https://www.bleepingcomputer.com/news/security/louis-vuitton-dior-and-tiffany-fined-25-million-over-data-breaches/)

Tiffany Korea experienced a similar attack vector, with a customer service employee being socially engineered via vishing to grant access privileges to the attacker. The attacker then exploited the same lack of IP-based access controls and absence of bulk download restrictions, compromising the personal information of approximately 4,600 individuals. Like Dior, Tiffany failed to report the breach within the legally mandated timeframe. (https://en.yna.co.kr/view/AEN20260212003000315)

Technical analysis of these incidents indicates that the attackers used a combination of credential-harvesting malware and social engineering to gain initial access. Once inside the SaaS platforms, they leveraged legitimate administrative tools, such as bulk data export features, to exfiltrate large volumes of customer data. In the case of Louis Vuitton, Google researchers and Mandiant have linked similar campaigns to the ShinyHunters group, which is known for targeting Salesforce environments using vishing and OAuth abuse. However, direct attribution to ShinyHunters in these specific incidents is assessed with medium confidence, as no unique malware samples or technical indicators have been publicly released. (https://www.varonis.com/blog/salesforce-vishing-threat-unc604)

The attacks mapped to several MITRE ATT&CK techniques, including spearphishing via service (T1566.003), use of valid accounts (T1078), abuse of OAuth device flow (T1550.001), and exfiltration over web service (T1567.002). The attackers’ use of legitimate SaaS features for data exfiltration allowed them to evade many traditional security controls.

The breaches underscore the risks associated with inadequate SaaS security in the luxury retail sector, where high-value customer data is a prime target. The PIPC emphasized that adopting SaaS solutions does not absolve organizations of their responsibility to protect personal information and that companies must fully leverage available security features, including least-privilege access, IP-based restrictions, strong authentication, and regular monitoring.

Affected Versions & Timeline

The affected organizations were the Korean subsidiaries of Louis Vuitton, Christian Dior Couture, and Tiffany. All three companies were using cloud-based customer management SaaS platforms at the time of the breaches.

Louis Vuitton Korea had been operating its SaaS platform since 2013. The breach occurred over three incidents between June 9 and June 13, 2025, resulting in the exposure of data for approximately 3.6 million customers.

Christian Dior Couture Korea had been using its SaaS system since 2020. The breach, which exposed data for approximately 1.95 million customers, went undetected for over three months due to a lack of access log reviews. The company reported the breach to authorities five days after discovery, missing the 72-hour notification requirement.

Tiffany Korea experienced its breach in a similar timeframe, with the personal information of approximately 4,600 customers compromised. Like Dior, Tiffany failed to notify authorities and affected individuals within the required 72-hour window.

The PIPC’s enforcement actions and fines were announced on February 12, 2026. All three companies were ordered to publicly disclose the enforcement actions on their websites. (https://www.csoonline.com/article/4132308/security-remains-providers-responsibility-even-with-saas-personal-information-protection-commission-imposes-36-billion-won-in-fines-on-three-luxury-brands-korean-subsidiaries.html, https://en.yna.co.kr/view/AEN20260212003000315)

Threat Activity

The threat activity in these incidents was characterized by a combination of malware-based credential theft and advanced social engineering, specifically vishing. In the Louis Vuitton Korea case, the attackers used malware to compromise an employee’s device and harvest SaaS credentials, which were then used to access the customer management platform. The attackers exploited the lack of IP-based access restrictions and strong authentication to move laterally and exfiltrate data.

In the cases of Christian Dior Couture Korea and Tiffany Korea, the attackers used vishing to impersonate IT support and convince customer service employees to grant them access to the SaaS platforms. Once inside, the attackers exploited the absence of IP-based access controls, lack of restrictions on bulk data exports, and insufficient monitoring to exfiltrate large volumes of customer data.

Technical analysis suggests that the attackers used legitimate administrative tools within the SaaS platforms, such as bulk data export features, to facilitate data exfiltration. In similar campaigns, attackers have abused OAuth device flows to obtain persistent access tokens, allowing them to maintain access even if credentials are changed. The use of legitimate tools and authorized apps enabled the attackers to evade many traditional security controls.

Attribution to the ShinyHunters group is assessed with medium confidence, based on similarities to other campaigns targeting Salesforce environments and the use of vishing and OAuth abuse. However, no unique malware samples or technical indicators from these specific incidents have been publicly released to confirm attribution with high confidence. (https://www.bleepingcomputer.com/news/security/louis-vuitton-dior-and-tiffany-fined-25-million-over-data-breaches/, https://www.varonis.com/blog/salesforce-vishing-threat-unc604)

The breaches highlight a broader pattern of threat activity targeting the luxury retail sector, where attackers exploit weak SaaS security controls and rely on social engineering to bypass technical defenses. The incidents underscore the need for robust access controls, strong authentication, and regular monitoring in SaaS environments.

Mitigation & Workarounds

The following mitigation strategies are prioritized by severity:

Critical: Organizations must implement least-privilege access controls for all SaaS platforms, ensuring that users have only the permissions necessary for their roles. IP-based access restrictions should be enforced to limit access to trusted networks, and strong authentication mechanisms, such as multi-factor authentication (MFA), should be mandatory for all remote access.

High: Regular access log reviews must be conducted to detect unauthorized or suspicious activity. Bulk data export and download features should be restricted to only those users with a legitimate business need, and all such activity should be closely monitored and logged.

Medium: Employee training programs should be enhanced to raise awareness of social engineering tactics, including vishing and phishing. Incident response plans should be updated to ensure timely detection, reporting, and containment of breaches, in compliance with regulatory requirements.

Low: Organizations should conduct periodic security assessments of their SaaS environments, including penetration testing and configuration reviews, to identify and remediate potential vulnerabilities.

The PIPC specifically emphasized that adopting SaaS solutions does not transfer the responsibility for data protection to the vendor. Organizations must fully leverage the security features provided by SaaS platforms and ensure compliance with all relevant data protection regulations. (https://www.csoonline.com/article/4132308/security-remains-providers-responsibility-even-with-saas-personal-information-protection-commission-imposes-36-billion-won-in-fines-on-three-luxury-brands-korean-subsidiaries.html)

References

https://www.csoonline.com/article/4132308/security-remains-providers-responsibility-even-with-saas-personal-information-protection-commission-imposes-36-billion-won-in-fines-on-three-luxury-brands-korean-subsidiaries.html (Feb 13, 2026)

https://www.bleepingcomputer.com/news/security/louis-vuitton-dior-and-tiffany-fined-25-million-over-data-breaches/ (Feb 13, 2026)

https://en.yna.co.kr/view/AEN20260212003000315 (Feb 12, 2026)

https://www.varonis.com/blog/salesforce-vishing-threat-unc604 (Sep 22, 2025)

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor security risks in their extended digital supply chains, including SaaS environments. Our platform enables continuous assessment of vendor security controls, supports regulatory compliance efforts, and provides actionable insights for improving access management and incident response processes. For questions or further information, please contact us at ops@rescana.com.