South Korea’s Personal Information Protection Commission (PIPC) announced last week that it has issued significant fines to several major luxury brands over a recent hacker attack that resulted in massive data breaches.
The fines, totaling 36 billion Korean won ($25 million), were imposed on Louis Vuitton, Dior, and Tiffany, all owned by the Paris-based multinational luxury goods conglomerate LVMH.
According to the Korean regulator, Louis Vuitton received a fine of roughly $15 million for cybersecurity failures that involved employee devices getting infected with malware and the information of approximately 3.6 million individuals getting compromised.
Dior was fined the equivalent of more than $8.4 million for exposing the information of 1.95 million individuals after an employee fell for a voice phishing attack.
Tiffany has been ordered to pay $1.6 million for exposing the details of roughly 4,600 people after also falling victim to a voice phishing attack.
The South Korean agency said the data breaches are related to a SaaS platform intrusion, but did not name the platform.
However, Louis Vuitton, Dior, and Tiffany were among the dozens of major organizations hit last year in a campaign targeting Salesforce customers.
The Scattered LAPSUS$ Hunters extortion group obtained millions of data records after gaining access to the Salesforce instances of the targeted organizations. The hackers leveraged social engineering rather than vulnerabilities in Salesforce infrastructure or products.
SecurityWeek has contacted LVMH for comment and will update this article if the company responds.
Related: Flickr Security Incident Tied to Third-Party Email System
Related: Dutch Carrier Odido Discloses Data Breach Impacting 6 Million
Related: Conduent Breach Hits Volvo Group: Nearly 17,000 Employees’ Data Exposed
