11 hours ago
4
High-end luxury brand Louis Vuitton has confirmed that Australian customers were caught up in a data breach, with personal information including birthdates, contact details, purchase history and preference data stolen by hackers.
Affected customers were informed via email on Monday, with the company revealing it became aware of a breach some three weeks earlier, on July 2.
“We regret to inform you that an unauthorised third party temporarily accessed our system and obtained some of your information,” the email reads.
High-end luxury brand Louis Vuitton has confirmed that Australian customers have been caught up in a data breach.Credit: Bloomberg
“We would like to reassure you that no password nor financial information – such as credit card information, bank details or other financial accounts – was contained in the database accessed.”
An email that Louis Vuitton sent to customers informing them of a data breach.Credit:
The company said the unauthorised access had been blocked, and that “competent authorities have been notified”.
Louis Vuitton was contacted for further comment. It’s unclear how many Australian customers have been impacted, and why the company took three weeks to notify customers.
The company, which is best known for its handbags, has also notified affected customers in South Korea, Turkey, Britain, Italy and Sweden, and is urging customers to stay alert for phishing emails or suspicious text messages. It’s owned by French conglomerate LVMH, which also operates Dior and Tiffany. Those brands have also been caught up in recent data breaches.
“It’s open cyber season on luxury retail brands globally,” said Katherine Mansted, executive director of the nation’s largest cybersecurity firm, CyberCX.
“The Louis Vuitton breach is just the latest in a string of cyber incidents for the sector, with big names like Tiffany, Dior, Adidas, Victoria’s Secret and Cartier disclosing incidents since just April. Ransomware group ShinyHunters is likely behind some, but not all of these.”
Loading
ShinyHunters, which was formed in 2020 and named after a Pokemon, has claimed credit for some of the most significant data breaches globally, affecting millions of people including Australians. It hasn’t yet claimed responsibility for the Louis Vuitton breach.
“ShinyHunters’ MO is stealing large datasets. Often, they sell these datasets to other criminals; sometimes, they leak them as a publicity stunt,” Mansted said.
She said CyberCX was seeing far fewer businesses in Australia, and globally, pay ransoms to cybercriminals. The criminals aren’t stopping, however, but are instead operating in sectors and places more willing to pay ransoms or changing their service offerings. Some are reverting to stealing and selling data to make money.
“The retail sector is in a sweet spot for cybercriminals,” she said.
“The sector hasn’t faced the same regulatory pressure to uplift cyber maturity as banks, telcos and other critical providers. But at the same time, it holds huge consumer datasets. These datasets are highly valuable – whether transacted by powerful data brokers, or unlawfully on the dark web by criminals.
CyberCX’s Katherine Mansted said it’s “open cyber season on luxury retail brands globally”.Credit:
“The high-end retail heist also highlights a growing problem confronting all businesses: third-party cyber risk. We’re still understanding these incidents, but it’s very possible that the source of at least some of these breaches is a third-party vendor commonly used across the sector.”
Australian companies now face fines of up to $50 million for serious breaches of the Privacy Act, after high-profile data breaches affected Optus and Medibank customers. The Office of the Australian Information Commissioner was contacted for comment.
The latest breach comes after 5.7 million Qantas customers had their information accessed by hackers this month, including information on frequent flyer accounts, addresses and food preferences. The airline said last week it had found no evidence yet of stolen data being released, but it was “actively monitoring”.
Cybersecurity researcher Jamieson O’Reilly said while no passwords or financial data had been taken, the scope of stolen Louis Vuitton data still presented significant opportunities for exploitation.
Jamieson O’Reilly, founder and chief executive of the cybersecurity firm DVULN.Credit: Dominic Lorrimer
“That is especially true when the breached entity is a high-profile luxury brand with a highly engaged and brand-loyal customer base,” he said.
Jamieson, who runs cybersecurity consultancy DVULN, said he had already noticed online chatter and victim reports indicating that Louis Vuitton customers had received phishing emails impersonating the company.
“Notably, this email referenced a known artist, Clara Bacou, who previously published conceptual NFT artwork for Louis Vuitton back in 2021,” he said.
Loading
“Anyone who searched the artist’s name would find legitimate links tying her to Louis Vuitton, giving the email a false sense of authenticity. Combined with accurate customer data from the breach, the setup is precise enough to fool even security-aware recipients.”
He said it was highly likely that threat actors are already using the stolen data for nefarious purposes.
“While breaches are frequent, that does not make them acceptable,” he said.
“Enterprise responsibility doesn’t stop at breach notification, it extends into proactive threat hunting, consumer guidance and a willingness to rethink the data practices that created the exposure in the first place.”
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.
Most Viewed in Technology
Loading
