First, South Korea has fined luxury fashion brands Louis Vuitton, Christian Dior Couture, and Tiffany & Co. $25 million for failing to implement adequate security measures, which facilitated unauthorized access and exposed data belonging to more than 5.5 million customers.
All three brands operate under the Louis Vuitton Moët Hennessy (LVMH) group, and hackers breached their cloud-based customer management service, triggering the incidents.
Malware Infection and SaaS Compromise at Louis Vuitton
According to the Personal Information Protection Commission (PIPC), in the case of Louis Vuitton, malware infected an employee’s device and enabled attackers to compromise the company’s software-as-a-service (SaaS) platform and leak data belonging to 3.6 million customers.
Although the product isn’t named, researchers at Google linked the campaigns to the ShinyHunters gang, who targeted Salesforce platforms. The threat actor later claimed the breach of LVMH systems.
As a result of the breaches at the three regional brands last year, attackers exposed sensitive customer data, including names, phone numbers, email addresses, postal addresses, and purchase histories.
PIPC says that Louis Vuitton had operated the SaaS tool since 2013, but “did not restrict access rights to Internet Protocol (IP) addresses, etc., and did not apply secure authentication methods when personal information handlers accessed the service from outside.”
Therefore, for failing to adequately secure access to customer data, the South Korean data protection agency imposed a $16.4 million fine on Louis Vuitton and ordered the company to announce the penalty on its business website.
Dior Breach Triggered by Phishing Attack
Meanwhile, at Dior, a phishing attack targeted a customer service employee and tricked the employee into granting a hacker access to the SaaS system, exposing data belonging to 1.95 million customers.
Dior had used the system since 2020, but the company didn’t implement allow-lists, didn’t place bulk data download restrictions, and failed to inspect access logs, which delayed the discovery of the breach for over three months.
Additionally, Dior South Korea disclosed the breach to PIPC five days after learning about it. Under PIPA, organizations are required to notify the data protection agency within 72 hours from the time they become aware of a personal information leak.
Due to these violations, PIPC announced a $9.4 million financial penalty for Dior South Korea.
Tiffany Hit by Voice Phishing, Receives $1.85M Fine
Similarly, attackers breached Tiffany by using voice phishing to trick a customer service employee into granting access to the SaaS system. However, the impact was far lower in this case, as attackers exposed 4,600 clients.
Like the other two brands, Tiffany neglected to implement IP-based access controls and bulk data download restrictions and failed to notify impacted individuals within the legally specified time frame. As a result, authorities issued a $1.85 million fine.
Finally, PIPC emphasized that SaaS solutions do not exempt companies from their responsibility to securely manage client data, nor does it transfer that responsibility to the vendors of these solutions.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
