South Korea Fines Three LVMH Brands $25 Million
South Korea's Personal Information Protection Commission (PIPC) has imposed a combined $25 million in fines on three luxury brands owned by LVMH — Louis Vuitton, Christian Dior, and Tiffany & Co. — for data breaches that collectively exposed the personal information of over 5.5 million customers. All three brands were using Salesforce cloud CRM at the time of their respective incidents.
Fine Breakdown
| Brand | Fine Amount | Attack Type | Customers Affected |
|---|---|---|---|
| Louis Vuitton | $14.8 million | Malware-infected employee device | 3.6 million |
| Christian Dior | ~$8.5 million | Phishing attack | 1.95 million |
| Tiffany & Co. | ~$1.7 million | Voice phishing (vishing) | 4,600 |
| Combined Total | $25 million | — | ~5.55 million |
Louis Vuitton: $14.8 Million Fine
An employee's device was compromised with information-stealing malware that captured login credentials for internal systems. Attackers used the stolen credentials to access the Salesforce CRM containing 3.6 million South Korean customer records including names, purchase history, loyalty data, and contact information.
The PIPC cited failure to implement adequate endpoint security, lack of MFA for CRM access, and delayed breach detection.
Christian Dior: ~$8.5 Million Fine
Employees received sophisticated phishing emails impersonating internal communications. Multiple employees entered credentials on fake login pages, granting attackers access to the Salesforce CRM with 1.95 million customer records.
Tiffany & Co.: ~$1.7 Million Fine
Attackers called Tiffany employees posing as IT support, extracting system login credentials over the phone. This granted access to 4,600 customer records including high-value jewelry transaction data.
The Salesforce CRM Connection
While Salesforce itself was not breached, the brands failed to properly secure their Salesforce environments:
| Security Gap | Impact |
|---|---|
| Weak authentication | Single-factor login allowed credential-based attacks |
| No IP restrictions | CRM accessible from any location |
| Insufficient monitoring | Unauthorized access went undetected |
| Over-permissioned accounts | Employees had excessive data access |
Key Takeaway
All three breaches stemmed from human-factor attacks (malware, phishing, and vishing), underscoring that even the most prestigious global brands remain vulnerable to social engineering. The enforcement action sends a clear message that employee security awareness and proper cloud security configuration are regulatory requirements, not optional.