Recent data breaches at luxury brands under LVMH, the world’s largest luxury conglomerate, have raised concerns over the group’s data security practices, particularly among consumers.
The most recent incident involved Tiffany & Company, which revealed on 9 May that personal data from its Korea-based customers, including names, addresses, phone numbers, email addresses, and sales information, had been compromised.
The breach happened on 8 April but wasn’t identified until a month later. The company has said no financial information, such as payment card details, was involved, but its response was limited to notifying affected individuals via email.
Similar concerns have been raised following a breach at Dior, another LVMH-owned luxury brand. Dior acknowledged on 13 May that it had suffered a data leak on 26 January, which included customer names, phone numbers, email addresses, and purchase records.
However, the company only detected the breach on 7 May, roughly 100 days after it happened. Dior’s failure to notify affected customers within a reasonable timeframe, and its delayed report to the relevant authorities in Korea, has done little to ease consumer anxiety.
Under Korea’s Information and Communications Network Act, businesses are required to report data breaches within 24 hours, but Dior waited until 10 May to do so, adding to the scrutiny on their handling of the matter.
While Tiffany and Dior are feeling the heat, concerns have surfaced about whether customer data might be stored or processed on LVMH’s shared data infrastructure, possibly exposing other luxury labels.
Despite this, brands like Bvlgari have said they cannot confirm whether they were affected, which hasn’t helped the uncertainty.
Staying Alert
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, says: “While it’s lucky that no financial information or Social Security info was exposed in the breach, customers need to stay alert for phishing scams via email or text messages. As usual, you should never click a link or open an attachment found in emails or texts.”
Hauk says there was enough information leaked for malefactors to use to create emails or texts pretending to be about a customer’s previous orders. This could include claiming the user is eligible for rebates or refunds on those purchases, or a similar claim. “Scammers would then try to get additional information, such as debit or credit information from the victim.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech, agrees: “Although the breach is concerning, the compromised data was not particularly sensitive. It can’t be used to directly steal victims’ money or identities. However, victims should be on the lookout for targeted phishing and scam messages. Scammers could use the details in this database to craft more convincing phishing messages. Never click unsolicited links or attachments in emails or texts.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.