South Korea’s Personal Information Protection Commission fined Louis Vuitton, Christian Dior Couture, and Tiffany a combined $25 million after data breaches exposed information for more than 5.5 million customers due to inadequate security controls on a cloud-based customer management service. Investigators linked the incidents to the ShinyHunters campaigns targeting Salesforce-related SaaS access, and regulators stressed that using SaaS does not transfer responsibility for protecting personal data. #ShinyHunters #Salesforce
Keypoints
- PIPC imposed a total of $25 million in fines on Louis Vuitton, Christian Dior Couture, and Tiffany for failing to secure customer data.
- Over 5.5 million customers had names, phone numbers, emails, postal addresses, and purchase histories exposed.
- Attack vectors included a malware-infected employee device, phishing, and voice-phishing that allowed access to the SaaS customer-management system.
- Security researchers and claims tied the breaches to the ShinyHunters group targeting Salesforce-related platforms.
- PIPC highlighted failures such as lack of IP-based access controls, no bulk-download restrictions, inadequate log monitoring, and delayed breach notifications.