The luxury fashion powerhouse Chanel has reported a data breach affecting select customers in the United States. In a letter to clients, the company disclosed that it became aware on July 25 of a security incident involving a U.S. database managed by an external service provider.
This compromised database, associated with Chanel’s Salesforce environment, was unlawfully accessed by an external entity that acquired customer information. A representative from Chanel confirmed that an investigation concluded unauthorized access had indeed occurred.
The investigation revealed that the data accessed by the external attacker included limited personal details of certain individuals who had reached out to Chanel’s customer service in the U.S. The affected data comprised names, email addresses, mailing addresses, and phone numbers. Notably, Chanel asserted that no malware was detected within their systems, and their core operations remained uninterrupted throughout this incident.
Upon identifying the breach, Chanel swiftly implemented its security protocols and enlisted specialist cybersecurity experts to assist with the ongoing investigation. Reports indicate that this incident is part of a broader trend of attacks targeting Salesforce users, linked to a group of cybercriminals known as ShinyHunters. This places Chanel among several prominent brands, including Adidas and LVMH labels like Louis Vuitton and Tiffany & Co., which have also faced similar security challenges.
Security experts have pointed out that these attackers do not rely on traditional hacking techniques. Instead, they have deployed social engineering methods, particularly a tactic known as “vishing,” or voice phishing, to manipulate employees into disclosing their login credentials or unwittingly granting access to malicious applications. Once authenticated, the attackers extract data from the database, subsequently leveraging this information to demand financial compensation.
Salesforce, the platform targeted in the incident, has insisted that its systems were not compromised. They clarified that vulnerabilities were not rooted in their technology, but rather stemmed from sophisticated social engineering tactics employed by the attackers. Salesforce emphasizes the critical role of organizations in safeguarding their data, particularly in light of the escalating prevalence of such methodically advanced scams.
Industry experts underscore the need for stringent scrutiny regarding access controls, system monitoring, and the configuration of third-party integrations. Piyush Pandey, CEO of Pathlock, highlighted the importance of organizations reassessing their access governance strategies given the current landscape of cybersecurity threats. As the sophistication of attacks increases, a proactive approach to data security is paramount for maintaining integrity and trust with clients.
