Tiffany and Dior Experience Data Breaches, Report Delays Last Weeks

LVMH Moët Hennessy – Louis Vuitton Chairman and CEO Bernard Arnault is pictured before the start of the Formula One Grand Prix of Monaco at the Circuit de Monaco in Monte Carlo on May 25. [EPA/YONHAP]

Recent reports have unveiled multiple data breaches affecting luxury brands owned by LVMH Moët Hennessy – Louis Vuitton, the largest luxury conglomerate in the world. These incidents have sparked considerable concern among consumers regarding the efficacy of the group’s data security protocols.

On May 9, Tiffany & Company Korea disclosed that it had identified a breach revealing personal information—including names, addresses, phone numbers, email addresses, and sales data—of customers based in South Korea. The breach initially occurred on April 8 but remained undetected until a month later.

Despite the serious nature of this incident, Tiffany & Company Korea has stated that there’s no evidence suggesting misuse or exploitation of the leaked information. The company did not announce the breach on its public channels, opting instead to notify affected customers via email. A customer service representative explained that suspicious activity emanated from a third-party application responsible for managing global customer data, and added that security measures have since been enacted. Importantly, the exposed data did not include any financial information, such as credit card details.

A related breach was reported by Dior, another prestigious brand under the LVMH umbrella. On May 13, Dior acknowledged the leak of customer information, including names, phone numbers, email addresses, and purchase histories. This breach, which occurred on January 26, went unnoticed for over 100 days, with the company revealing the incident to customers only after a six-day delay following its detection on May 7. This sluggish response attracted criticism, particularly amid Korea’s Information and Communications Network Act, which mandates that companies inform regulatory bodies within 24 hours of confirming a data breach. Dior reported the breach to authorities three days post-discovery, raising further scrutiny regarding compliance.

Public sentiment has turned negative in online communities, where users express concerns about data privacy. One user remarked on the unsettling nature of data leaks, while another pointed out the broader implications following high-profile incidents, such as the breach at SK Telecom. Responses to the recent findings have led some customers to alter security settings, including updating email passwords and financial configurations.

Dior Korea posted an apology to its website on May 13 following a data breach in January. [SCREEN CAPTURE]

In the previous year, Dior and Tiffany & Company reported revenues of approximately 945.3 billion won ($689.4 million) and 377.9 billion won, respectively. With LVMH managing over 80 brands, the conglomerate faces intensifying scrutiny relating to its enterprise-wide data management practices. Consumers are increasingly concerned about the potential for additional brands to be impacted due to shared data infrastructures.

Experts are raising alarms regarding the possible use of MITRE ATT&CK tactics in these breaches. The lapses appear to align with categories such as Initial Access and Persistence, suggesting that attackers may have leveraged vulnerabilities within third-party applications to infiltrate systems and maintain access over time. As concerns mount, it is imperative for affected brands to conduct expedient investigations to determine the extent of the damage and to notify their customer base accordingly.

Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff.
BY HWANG SOO-YEON [[email protected]]