South Korea just fined some of the most recognizable luxury names in the world, and it wasn’t about counterfeit handbags or trademark disputes. It was about customer data.
Regulators announced penalties totaling about $25 million against Louis Vuitton, Dior and Tiffany after hackers accessed personal information belonging to millions of people. All three brands operate under the LVMH group, and all three were tied to the same broader cyberattack campaign.
According to the country’s Personal Information Protection Commission, the breaches weren’t caused by a dramatic Hollywood-style hack. They were caused by people.
Louis Vuitton received the largest penalty, roughly $15 million, after malware infected employee devices and exposed the data of about 3.6 million individuals. Dior was fined more than $8.4 million after an employee fell for a voice phishing scam that compromised information belonging to 1.95 million people. Tiffany was ordered to pay $1.6 million after a similar voice phishing incident exposed details for about 4,600 customers.
In other words, attackers didn’t break the system. They convinced someone to open the door.
The regulator said the incidents were linked to an intrusion involving a SaaS platform, though it didn’t publicly name it. However, the companies were among many organizations targeted in a wider campaign that affected businesses using Salesforce systems.
The group behind the attacks, known as Scattered LAPSUS$ Hunters, reportedly gained access not by exploiting a technical flaw in Salesforce itself but by using social engineering. Attackers impersonated trusted contacts and support staff, persuading employees to hand over credentials or approve access requests. Once inside, they were able to pull large amounts of customer data.
The episode highlights a shift in cybersecurity. The weakest point is increasingly not software but human behavior. Luxury brands invest heavily in store design, supply chains and marketing, yet a single convincing phone call can bypass layers of technical protection.
For customers, the risk is less about credit cards and more about identity. Names, contact details and account information can be used in follow-up scams, targeted phishing messages and impersonation attempts long after the original breach.
For companies, the message from regulators is becoming clearer. Protecting data isn’t only about building stronger systems. It also means training employees to recognize when someone on the phone or email isn’t who they claim to be.
And for shoppers, it’s a reminder that the brands associated with exclusivity and craftsmanship are still, at their core, just databases connected to the internet.
