Hefty sanctions against Louis Vuitton, Christian Dior and Tiffany: luxury brands fined billions for massive data leaks

Published: 13 February 2026
tiffany lv dior
Tiffany, LV, Dior. By Cybernews

South Korea has fined the local units of three luxury brands 36 billion won ($24.9 million), warning that convenience must not come at the expense of personal data protection.

South Korea’s Personal Information Protection Commission (PIPC) has announced hefty sanctions against the local units of Louis Vuitton, Christian Dior, and Tiffany for violations of the nation’s Personal Information Protection Act. The fines, totaling 36 billion won, are among the largest ever imposed on corporate data handlers in the country’s luxury retail sector.

Louis Vuitton Korea received the largest penalty of 21.4 billion won after hackers gained unauthorized access to an employee device. That breach resulted in the exposure of personal data, including user names, phone numbers and birth dates, for roughly 3.6 million customers in three separate incidents. Regulators said the company had poor security practices for remote logins.

ADVERTISEMENT

At Christian Dior Couture Korea, investigators found that a customer center employee fell victim to a voice phishing attack granting malicious actors access to personal information of about 1.95 million users.

The company also failed to detect the breach for more than three months due to inadequate log monitoring practices. Even after detecting the breach, Dior delayed notifying affected users beyond the legally mandated 72-hour window without valid justification. The PIPC has imposed a fine of 12.23 billion won on Dior.

Tiffany Korea faced a similar voice phishing attack resulting in the exposure of around 4,600 customer records. Like Dior, Tiffany lacked proper access controls and delayed both customer notification and reporting to authorities. The commission fined the company 2.4 billion won.

The leaked user data from both Dior and Tiffany included names and email addresses.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Convenience vs Security

In all three cases, the PIPC noted that the breaches occurred in the context of software-as-a-service (SaaS)-based customer management systems that the companies had implemented for cost efficiency and operational flexibility.

The regulator warned that convenience, however, must not come at the expense of personal data protection functions, such as differential access privileges and robust authentication, including IP-based restrictions.

ADVERTISEMENT

Security experts say retail brands are particularly attractive targets because their customer databases contain high-value personal information that can be leveraged for phishing, fraud, and targeted social engineering campaigns.

Prior breaches at Tiffany have exposed customer information and gift card data. Last year, Louis Vuitton reported a breach after attackers accessed the systems of its UK unit.

The PIPC penalties come amid South Korea’s on-going stringent actions against online retailer Coupang, for a massive breach that resulted in the loss of personal data belonging to nearly 34 million customers.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT