Louis Vuitton, Dior, and Tiffany Fined $25 Million by South Korea for Data Breaches
2 min. read 
Published on
South Korea’s Personal Information Protection Commission fined Louis Vuitton, Dior, and Tiffany a combined $25 million for poor security in their SaaS customer systems. The breaches exposed data from 5.55 million customers across the LVMH brands. Hackers accessed names, emails, phone numbers, addresses, and purchase histories.
Louis Vuitton took the biggest hit at $16.4 million. Malware on an employee device compromised their SaaS tool used since 2013. The company skipped IP restrictions and secure remote auth like OTP or tokens. This led to three separate leaks affecting 3.6 million customers.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Dior faced a $9.4 million penalty after a phishing attack tricked a customer service worker. The firm used SaaS since 2020 without IP allow-lists, bulk download limits, or log checks. They missed the breach for over three months and notified PIPC five days late, past the 72-hour PIPA rule. It hit 1.95 million users.
Tiffany got a $1.85 million fine from voice phishing on staff. Just 4,600 customers lost data, but they also lacked IP controls and download caps. Notification delays added to the violations.
PIPC stated: “Even when companies adopt SaaS, their responsibility to safely manage personal information is neither exempted nor transferred.” They added: “Data controllers must fully utilize the privacy protection features provided by these services.”
Breach Details Table
| Brand | Fine Amount | Customers Affected | Attack Vector | Key Failures |
|---|---|---|---|---|
| Louis Vuitton | $16.4M | 3.6 million | Employee malware | No IP limits, weak remote auth |
| Dior | $9.4M | 1.95 million | Phishing | No allow-lists, 3+ month delay |
| Tiffany | $1.85M | 4,600 | Vishing | No download caps, late notice ​ |
Common Security Gaps
All three brands shared SaaS platforms likely tied to ShinyHunters attacks on Salesforce. Google researchers linked similar campaigns. Companies must own data protection regardless of vendors.
PIPC ordered public disclosure on company sites. Total penalties hit 36 billion KRW including smaller fines.
Lessons for SaaS Users
- Enforce IP whitelisting for remote access.
- Use MFA, OTP, or certificates always.
- Monitor logs daily for odd activity.
- Limit bulk exports and test alerts.
| Control | Purpose | Implementation |
|---|---|---|
| IP Restrictions | Block outsiders | Firewall rules |
| Secure Auth | Stop credential theft | MFA/OTP tokens |
| Log Inspection | Early breach detection | SIEM tools |
| Download Limits | Prevent mass exfil | SaaS config ​ |
FAQ
Lax SaaS security exposed 5.55M customers; violated PIPA notification rules.
Names, phones, emails, addresses, purchase history.
Companies, not vendors, per PIPC.
Malware, phishing, vishing on employee devices.
Post fines on websites; fix IP/auth controls.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages