Louis Vuitton, Dior and Tiffany fined $25 million for South Korean data breaches

Regulators LVMH brands for "Convenience over Security" in SaaS Management; over 5.5 million customers exposed.

The South Korean Personal Information Protection Commission (PIPC) has handed down a record-setting $25 million (36 billion won) in combined fines to the local units of Louis Vuitton, Christian Dior, and Tiffany & Co. The ruling, announced on February 12, 2026, follows a massive investigation into security failures that allowed hackers to siphon sensitive data from the brands' cloud-based customer management systems.

The fine is one of the largest ever imposed in South Korea’s luxury retail sector, signalling a "zero-tolerance" approach to the poor management of Software-as-a-Service (SaaS) platforms.

The "ShinyHunters" connection

The breaches, which occurred throughout 2025, have been linked by security researchers to the notorious ShinyHunters hacking group - the same entity responsible for the massive Ticketmaster and AT&T breaches. The group targeted the brands' Salesforce instances by exploiting the "human element" within the local Korean subsidiaries.

• Louis Vuitton ($14.8M fine): The hardest hit of the three. A malware infection on an employee’s device allowed attackers to harvest SaaS credentials, exposing the data of 3.6 million customers.

• Christian Dior ($8.4M fine): A customer service representative fell victim to a voice phishing (vishing) attack, inadvertently granting access to 1.95 million customer records. The PIPC noted that Dior failed to notice the breach for three months due to a total lack of access log monitoring.

• Tiffany & Co. ($1.6M fine): Followed a similar vishing pattern, exposing roughly 4,600 records. While the scale was smaller, the brand was penalized for failing to notify customers within the legally mandated 72-hour window.

The "security is not outsourced" warning

The PIPC's ruling serves as a stern warning to global enterprises: using a world-class provider like Salesforce does not absolve a company of its own security responsibilities.

Investigators found that none of the three brands had implemented IP-based access restrictions (which would have blocked logins from unauthorized locations) or Multi-Factor Authentication (MFA) for their external service handlers.

In addition to the Dior monitoring failure, Tiffany reportedly waited 13 days after detecting their breach to notify the authorities, a direct violation of the Personal Information Protection Act (PIPA).

As part of the penalty, all three brands have been ordered to post a formal public apology and an announcement of the fine on their official South Korean websites.

What data was stolen?

While no credit card numbers were reportedly taken, the exfiltrated databases contained a goldmine for secondary social engineering:

• Full names and phone numbers

• Email and physical addresses

• Birth dates and gender

• Detailed purchase histories and luxury preferences

"Convenience must not come at the expense of protection," stated PIPC Director Yoon Yeo-jin. "Many companies adopt global SaaS tools to reduce costs, but they often ignore the basic protective measures required to keep those doors locked."