The Personal Information Protection Commission announced on the 12th that it has imposed a total fine of ₩36.0 billion KRW (about $24.9 million USD) and administrative fines totaling ₩10.8 million KRW (about $7,470 USD) on three luxury brand retailers—Louis Vuitton, Dior, and Tiffany & Co.
The commission held a full meeting the previous day to approve these sanctions and ordered the companies to publish the details of the penalties on their respective websites. Investigations revealed that all three companies experienced data breaches while using SaaS-based customer management services.
Louis Vuitton Korea’s employee devices were infected with malware, allowing hackers to steal SaaS account information and leak the personal data of approximately 3.6 million customers, including names, gender, nationality, phone numbers, email addresses, and dates of birth, across three separate incidents.
Since introducing and operating SaaS in 2013, the company failed to restrict access rights by IP address and did not apply secure authentication methods for external access. As a result, the commission imposed a fine of ₩21.4 billion KRW (about $14.8 million USD) on Louis Vuitton Korea.
Christian Dior Couture Korea and Tiffany & Co. Korea both fell victim to voice phishing scams that tricked employees into granting hackers SaaS access credentials, leading to leaks of personal information of around 1.95 million and 4,600 individuals, respectively. The leaked data from Dior included names, gender, date of birth, age, email addresses, and phone numbers, while Tiffany’s data involved names, addresses, emails, and internal customer record numbers.
Neither company implemented IP restrictions or controls on bulk data downloads. Dior failed to review access logs at least once a month, delaying detection of the breach for over three months. Both companies also notified affected individuals more than 72 hours after recognizing the breach, and Tiffany Korea further delayed its official reporting.
Consequently, the commission fined Dior ₩12.2 billion KRW (about $8.46 million USD) and imposed an administrative fine of ₩3.60 million KRW (about $2,490 USD), while Tiffany was fined ₩2.41 billion KRW (about $1.67 million USD) plus a ₩7.20 million KRW (about $4,980 USD) administrative fine.
