![A sign outside a Tiffany & Co boutique in Avenue Montaigne. [TASS/YONHAP]](https://koreajoongangdaily.joins.com/data/photo/2025/06/01/c8f7440f-b363-4d37-8792-67b607f388ea.jpg)
A sign outside a Tiffany & Co boutique in Avenue Montaigne. [TASS/YONHAP]
The Korea Personal Information Protection Commission (PIPC) announced on Sunday an investigation into data breaches affecting luxury brands Dior and Tiffany, both subsidiaries of the global fashion conglomerate LVMH. This inquiry has been prompted by concerns regarding the companies’ delayed responses in reporting the incidents.
According to the commission, Dior experienced a data breach on January 26, but it only recognized the incident over 100 days later, on May 7, reporting it to the PIPC three days after that on May 10. Compliance with the Act on the Promotion of Information and Communications Network Utilization and Information Protection mandates that organizations must inform the Korea Internet & Security Agency or the Ministry of Science and ICT within 24 hours of detecting such breaches.
Following its discovery, Dior did not notify affected customers until May 13, six days after awareness of the breach, communicating through its website and email. The compromised data included sensitive information such as names, phone numbers, email addresses, and mailing addresses.
Similarly, Tiffany Korea’s breach, which took place in April, was not identified until May 9, and the company reported it only on May 22, 13 days post-detection. Notifications were sent to a limited number of customers via email, omitting a more extensive public notice on its website.
The focus of the PIPC’s investigation will be to determine the full extent of the breaches, assess compliance with existing technical and administrative safeguards, and investigate potential violations of Korea’s personal information protection laws.
A significant aspect of the inquiry will address the notable delays in both breach reporting and customer notifications. The commission stated that any confirmed violations would result in appropriate legal actions.
Initial findings suggest that the breaches utilized employee account credentials associated with customer management services, which employ software-as-a-service (SaaS) platforms. This will also be a focal point of the ongoing investigation.
The PIPC highlighted that companies leveraging SaaS-based systems should implement two-factor authentication for employee accounts and set IP address restrictions to mitigate unauthorized access.
LVMH, which manages over 80 brands, reported impressive domestic sales figures last year, with Dior and Tiffany Korea generating revenues of 945.3 billion won ($691 million) and 377.9 billion won, respectively.
As investigations proceed, understanding the tactics employed in these breaches could prove invaluable for other businesses in the luxury sector and beyond. Analysts have suggested that tactics outlined in the MITRE ATT&CK framework, such as initial access using compromised credentials, and potential persistence through fishing for additional information, might have been leveraged in these cases.
Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff.
BY HAN EUN-HWA [[email protected]]
