South Korea fines LVMH brands $25 million over customer data breach

South Korea’s Personal Information Protection Commission (PIPC) has imposed over ₩36 billion (approx. $25 million) in fines on three luxury brands, Louis Vuitton, Dior, and Tiffany, after concluding investigations into significant customer data breaches that stemmed from poor security practices around SaaS-based customer management platforms.

The decision follows months of investigation into the overlapping incidents, all of which were part of a broader data theft campaign targeting Salesforce customers, a campaign previously attributed to the hacking group ShinyHunters. The breaches affected millions of customers across South Korea and involved unauthorized access via credential theft, social engineering, and the misuse of data-extraction tools.

The affected brands are subsidiaries of LVMH, the world’s largest luxury goods conglomerate, which acquired Tiffany & Co. in 2021 for $16 billion. Dior and Louis Vuitton have long been flagship brands in the LVMH portfolio, operating extensive retail networks in South Korea, where they collect customer data through loyalty programs and after-sales services.

Louis Vuitton Korea received the largest penalty, totaling ₩21.4 billion ($14.8 million), after a malware infection on an employee’s device allowed threat actors to exfiltrate the company’s Salesforce account credentials. This led to the exposure of personal data belonging to approximately 3.6 million customers over a series of three breaches between June 9 and June 13, 2025.

Investigators found that the company had failed to implement essential safeguards, such as IP-based access controls or strong authentication, despite using the SaaS platform since 2013. The lack of basic access controls meant attackers could abuse stolen credentials with relative ease.

Christian Dior Couture Korea was fined ₩12.2 billion ($8.4 million) for violations related to access control and breach notification laws. In Dior’s case, a customer service representative was tricked via voice phishing into granting access to a hacker, who subsequently downloaded data on approximately 1.95 million customers.

PIPC found that Dior had not restricted IP access, failed to limit data export capabilities, and neglected to monitor download logs monthly, allowing the breach to go undetected for over three months. Furthermore, the brand delayed notifying affected individuals for five days after detecting the breach, violating the mandated 72-hour reporting window under Korean law.

Tiffany Korea was similarly fined ₩2.41 billion ($1.65 million). The breach followed the same pattern as Dior’s: a customer support staffer fell for voice phishing, inadvertently granting the attacker access to Salesforce. About 4,600 customer records were compromised, including sensitive sales and contact information.

Despite using the platform since 2021 for marketing purposes, Tiffany had not enabled basic protections, such as IP access controls or download restrictions, and failed to notify customers within the required 72 hours, reporting the breach 13 days after detection.

The PIPC stressed that merely adopting enterprise-grade SaaS tools does not absolve companies of their responsibility to secure customer data. In all three cases, the commission criticized the brands for underutilizing built-in security features and failing to implement basic controls such as OTP-based authentication, access logging, and IP geolocation filtering.