Customer data leaks are occurring one after another in Korea's luxury market. This year alone, after Dior, Cartier and Louis Vuitton, Tiffany also suffered a customer data breach. Repeated hacking attempts are being made to exploit the characteristics of the Korean market, which has many high-spending consumers, for financial gain. There are calls for luxury companies to improve their lax responses.
According to the industry on the 16th, Tiffany Korea said on the 15th on its official website, "We have confirmed that some customers' personal information was leaked due to access by an unauthorized third party," and "Names, mailing addresses, email addresses, phone numbers, sales data and internal customer numbers may have been included." However, it did not disclose the specific scale of the damage or the number of affected customers. Tiffany also had a similar personal information leak in April. It is the second time this year.
Recently, luxury brands have seen a series of personal information leaks. The problem is that they confirm the leaks belatedly and respond slowly.
According to the Personal Information Protection Commission, Dior reported to the commission that it became aware in May of a leak that occurred in January, and Tiffany said it recognized and reported in May an incident that occurred in April. Tiffany also confirmed only on the 15th a new incident that occurred in May. Louis Vuitton discovered and reported in July an information leak that occurred in June. Dior, Tiffany and Louis Vuitton are all brands under France's LVMH (Louis Vuitton Moët Hennessy), the world's largest luxury group. This year alone, there have been four hacking incidents at LVMH-affiliated brands.
Cartier, a brand under the Richemont Group, emailed customers in June to inform them of an information leak. Cartier did not disclose in the email when the information was leaked.
The commission said it is investigating the incidents. A commission official said, "We are investigating all the personal information leaks at luxury companies that occurred this year," and added, "Since Tiffany Korea already has an ongoing investigation, we will view this incident comprehensively in the same context."
The reason hacking incidents are recurring at luxury companies is that information on luxury customers sells at a high price on the dark web, where hackers trade. The customer information that luxury brands collect includes more sensitive details than the information held by general distributors. Some luxury brands collect specific information such as occupation and workplace to provide personalized services. Each product also has a serial number, and with that number they manage information on when and where the product was sold and purchase history. If such information leaks, it is highly likely to lead to secondary harm such as voice phishing and tailored smishing.
According to the commission, the Dior and Tiffany data leaks in the first half of this year occurred because employee account credentials used to access customer management services were stolen. If the incidents had been recognized quickly, the spread of damage could have been reduced. An industry official noted, "If a luxury brand operates information technology (IT) systems separated and interconnected between its global headquarters and the Korea branch, there is a structural problem that detection and response are delayed when an incident occurs."
The commission said, "Both companies were using customer management services based on software as a service (SaaS)," and stressed that to prevent large-scale personal information leaks when using software as a service, corporations need to apply multi-factor authentication to employee accounts and implement access control measures such as restricting accessible IP addresses. "It is also necessary to strengthen education, management and supervision of personal information handlers to prevent accounts from being stolen through phishing," it said. Software as a service is a method of providing software in a cloud format over the internet without installing it on servers.
An industry official said, "The recent incidents occurred not because advanced hacking technologies were used, but because basic security postures were lax, such as poor account security management and inadequate internal monitoring systems," and added, "Consumer loyalty to luxury brands is rooted in trust and scarcity, and sloppy management of customer data will heighten consumer anxiety. To protect brand image and secure global customer trust, security investment should be treated as a strategic task on par with marketing."