Luxury Brands Face Korean Data Breach Probe

Summary

Tiffany & Co. and Dior, both owned by LVMH, suffered data breaches affecting South Korean customers. The Personal Information Protection Commission (PIPC) is investigating both companies for potential violations due to delayed reporting and inadequate security measures. Both companies face potential fines for failing to comply with South Korean data protection laws.

Dont let data threats slow you downTrueNAS offers enterprise-level protection.

** Main Story**

Data Breaches at Tiffany & Co. and Dior in South Korea Spark Investigation

Luxury brands Tiffany & Co. and Dior, both subsidiaries of the French multinational luxury goods conglomerate Louis Vuitton Moët Hennessy (LVMH), have recently experienced data breaches impacting their South Korean customer base. These incidents have prompted an investigation by the South Korean Personal Information Protection Commission (PIPC). The investigation centers on the companies’ delayed responses and potential violations of the Personal Information Protection Act (PIPA).

Tiffany & Co. Breach

The data breach at Tiffany & Co. occurred on April 8, 2025, due to unauthorized access to a third-party vendor’s platform used for managing customer data. The company discovered the breach on May 9, 2025, and notified affected customers via email on May 26, 2025. Compromised information includes names, addresses, phone numbers, email addresses, internal customer ID numbers, and purchase history. Notably, no public notice appeared on Tiffany’s official website, and the company maintains that no confirmed cases of data misuse have surfaced as of June 3, 2025.

Dior Breach

Dior experienced a data breach much earlier, on January 26, 2025, but only discovered it on May 7, 2025. The company reported the incident to the PIPC on May 10, 2025, and notified customers through its website and email notifications on May 13, 2025. The compromised data reportedly includes names, phone numbers, email addresses, mailing addresses, and purchase history.

PIPC Investigation and Potential Penalties

The PIPC’s investigation focuses on several key areas: the extent of the breaches, compliance with required security measures, adherence to Korean personal information protection laws, and the companies’ delayed reporting and customer notification. Both Tiffany & Co. and Dior face potential fines of up to 30 million won (approximately $21,859 USD as of June 3, 2025) for failing to report the incidents within 24 hours of discovery, as mandated by the Act on the Promotion of Information and Communications Network Utilization and Information Protection.

Wider Implications and Industry Concerns

These incidents raise broader concerns regarding data security within LVMH, the world’s largest luxury goods conglomerate. While other LVMH brands, such as Sephora, Bulgari, TAG Heuer, Marc Jacobs, and Givenchy, have not reported similar incidents in recent times, the breaches at Tiffany & Co. and Dior underscore the importance of robust cybersecurity measures across the entire group.

Recommendations for Enhanced Data Security

The PIPC recommends companies using Software-as-a-Service (SaaS) based systems, like the customer management platforms used by both brands, implement two-factor authentication for employee accounts and IP address restrictions to prevent unauthorized access. This advice serves as a reminder for all organizations to prioritize data security and proactively protect sensitive customer information.

Conclusion

The data breaches at Tiffany & Co. and Dior serve as a stark reminder of the ever-present threat of cyberattacks and the importance of prompt and transparent communication with customers and regulators in the event of a breach. As the PIPC investigation continues, it is likely to shed further light on the specifics of these incidents and potentially lead to stricter enforcement of data protection regulations in South Korea. As of today, June 3, 2025, the situation is still developing, and further updates may emerge regarding the investigation and its consequences.