What happened
South Korea has fined luxury brands Louis Vuitton, Christian Dior Couture, and Tiffany a combined $25 million following data breaches that exposed customer information. According to South Korea’s Personal Information Protection Commission (PIPC), the breaches occurred after attackers gained access to the companies’ cloud-based customer management systems. In Louis Vuitton’s case, malware on an employee’s device enabled access to the software-as-a-service platform, exposing data from 3.6 million customers. Dior’s breach stemmed from a phishing attack on a customer service employee, compromising data belonging to 1.95 million customers, while Tiffany was breached through voice phishing that exposed 4,600 clients. Exposed information included names, phone numbers, email addresses, postal addresses, and purchase histories. The regulator found that the companies failed to implement adequate access controls and secure authentication measures.Â
Who is affected
More than 5.5 million customers of Louis Vuitton, Christian Dior Couture, and Tiffany were affected, with personal information exposed after attackers accessed cloud-based customer management systems used by the companies.Â
Why CISOs should care
The breaches demonstrate how compromised employee access and weak authentication controls in cloud-based customer management platforms can result in large-scale exposure of customer data and regulatory penalties.Â
3 practical actions
- Enforce secure authentication controls. Implement strong authentication mechanisms for access to cloud-based customer management systems.
- Restrict and monitor access rights. Apply IP-based restrictions and monitor access logs to detect unauthorized access attempts.
- Strengthen phishing defenses. Improve protections and training to reduce risks from phishing and social engineering targeting employees.