Louis Vuitton, Dior, and Tiffany Fined $25M After Hackers Walked Through the Front Door

$25 Million for Leaving the Door Unlocked

South Korea's Personal Information Protection Commission (PIPC) announced on February 12 that it had imposed a combined 36 billion won (approximately $25 million) in fines on three luxury brands belonging to LVMH: Louis Vuitton Korea, Christian Dior Couture Korea, and Tiffany Korea. The reason was as straightforward as it was damning: the companies had failed to implement basic security controls on the Salesforce platform they had been using to manage customer data since 2013.

Across three separate incidents, hackers accessed personal data belonging to more than 5.5 million customers, including names, email addresses, phone numbers, purchase histories, and in some cases sensitive sales and contact information.

How Each Brand Was Breached

Louis Vuitton Korea received the largest penalty: 21.4 billion won ($14.8 million). Between June 9 and June 13, 2025, a malware infection on an employee's device allowed attackers to exfiltrate Salesforce account credentials, leading to the exposure of personal data for roughly 3.6 million customers across three separate breaches. The company had no IP based access controls, no multi factor authentication, and no meaningful monitoring despite operating on the platform for over a decade.

Christian Dior Couture Korea was fined 12.2 billion won ($8.4 million). In this case, a customer service representative was tricked through voice phishing into granting a hacker access to the Salesforce system. The attacker subsequently downloaded personal information on approximately 1.95 million customers. Dior failed to detect the breach for more than three months because it had no log monitoring in place.

Tiffany Korea was fined 2.41 billion won ($1.65 million) for a nearly identical attack. A customer support employee fell for voice phishing, granting the attacker access to approximately 4,600 customer records. Tiffany also lacked proper access controls and delayed both customer notification and reporting to authorities beyond the mandated 72 hour window.

The SaaS Security Problem

What makes this case notable is not just the size of the fines but the nature of the failures. The PIPC specifically criticized all three brands for underutilizing the security features already built into Salesforce. Features like OTP based authentication, IP geolocation filtering, and access logging were available but had never been turned on.

The regulator made its position clear: using a SaaS platform does not transfer responsibility for data protection to the vendor. "Security remains the provider's responsibility even when using SaaS," the PIPC stated. Organizations must still configure, monitor, and maintain security controls on their end.

This principle has implications far beyond luxury retail. Any company storing customer data in cloud platforms like Salesforce, HubSpot, or ServiceNow is equally exposed if it leaves default settings in place and fails to enable the security tools already available to it.

Voice Phishing: The Human Vulnerability

Two of the three breaches (Dior and Tiffany) began with voice phishing, also known as vishing. In both cases, attackers called customer service representatives and socially engineered them into granting access to internal systems. This technique bypasses even strong technical security because it targets the human layer.

Voice phishing has surged in sophistication. The ShinyHunters group, responsible for several high profile breaches in 2025 and 2026, has refined the technique into an art form, using impersonation of IT staff combined with man in the middle architecture to capture SSO credentials and MFA codes in real time. While the LVMH breaches have not been attributed to ShinyHunters, the attack pattern is strikingly similar.

South Korea's Growing Enforcement Power

South Korea amended its Personal Information Protection Act (PIPA) in 2023 to authorize fines of up to 3% of related revenue, bringing it closer to the GDPR's 4% of global turnover threshold. The LVMH fines demonstrate that the PIPC is willing to use this expanded authority, particularly against multinational corporations that operate in the Korean market without implementing adequate local data protection measures.

The fines also signal a broader global trend. Privacy regulators in Europe, California, and now South Korea are increasingly holding companies accountable not just for breaches themselves but for the security posture that allowed them. The message is consistent: if you collect customer data, you must protect it, and "we use a third party platform" is not a defense.

What This Means for Consumers

If you have ever purchased from Louis Vuitton, Dior, or Tiffany in South Korea, your personal information may have been compromised. The exposed data, which includes names, email addresses, phone numbers, and purchase histories, is precisely the kind of information attackers use to craft targeted phishing campaigns.

Be especially wary of communications that reference past luxury purchases or offer exclusive deals. Scammers who have access to your purchase history can create highly convincing messages that appear to come from the brand itself. And remember: if a company has had your data breached once, the information is out there permanently. No fine, no matter how large, can recall data that has already been stolen.