On September 10, the Cyberspace Administration of China announced administrative sanctions against Dior’s Shanghai branch, a luxury brand owned by LVMH. This action stems from the unauthorized transfer of customers’ personal data to the company’s headquarters in France, highlighting significant compliance lapses in data protection practices.
The investigation into Dior Shanghai was triggered by a data breach that occurred in May. Chinese cybersecurity authorities found that the brand committed multiple infractions during their inquiry. Notably, it transferred sensitive customer information to its Paris headquarters without conducting the necessary security assessments or obtaining required certifications for personal data protection.
Additionally, the company failed to notify customers about the handling of their data prior to its transfer and neglected to secure separate consent from them, as mandated by data protection regulations. Furthermore, Dior Shanghai did not employ essential security measures such as encryption and data de-identification, leaving the data vulnerable to exploitation.
The specific penalties levied against Dior have not yet been revealed. However, the breach itself raised significant concerns regarding consumer privacy, as an unauthorized party accessed customer data including names, genders, phone numbers, email addresses, mailing addresses, purchase histories, and consumption preferences.
On May 12, following the breach, multiple customers received notifications from Dior alerting them to the potential compromise of their personal data. This incident is not an isolated event; several other luxury brands have similarly reported data breaches in China this year. For example, in June, customers of Cartier were informed via email about a system compromise, and in July, Louis Vuitton acknowledged a breach affecting approximately 420,000 customers in Hong Kong.
Industry experts have observed that while many luxury brands have undergone digital transformation, their management of data security tends to be relatively lax. The customer data of several major brands is often stored in fragmented systems without clear boundaries, complicating the enforcement of unified security protocols and dynamic risk controls.
While the specifics of the attack on Dior Shanghai remain under investigation, potential tactics employed may include initial access through social engineering or exploiting system vulnerabilities. Techniques such as persistence might have allowed unauthorized access to maintain control over the compromised data. Privilege escalation could also have played a role, allowing adversaries to gain unauthorized access to sensitive information.
The incident underscores the ongoing challenges luxury brands face regarding cybersecurity and data protection. As businesses strive to protect customer information, the importance of maintaining stringent data handling procedures and security measures becomes increasingly evident.
Editor: Martin Kadiev
