Gucci and Alexander McQueen Hit by Customer Data Breach

Luxury fashion brands Gucci, Alexander McQueen, and Balenciaga have suffered a customer data breach, joining a growing list of high-profile fashion brands targeted by the ShinyHunters hacking group. The breach has resulted in the exposure of sensitive customer information, including spending data for millions of unique email addresses.

According to a sample of files claimed by ShinyHunters and shared with the BBC, the breach affected 7.4 million unique email addresses, which appear to be genuine. This revelation highlights the scale of the attack, with thousands of customer details compromised.

The Attack on Kering

The incident is believed to have taken place in June when an unauthorized third party gained temporary access to Kering's system, accessing limited customer data from its brands. Kering, the French-based holding company for Gucci, Alexander McQueen, and Balenciaga, confirmed the breach and stated that no financial information was involved.

"No financial information – such as bank account numbers, credit card information, or government-issued identification numbers – was involved in the incident," the company added. Kering denied engaging in any conversations with the perpetrators, according to a statement to the BBC.

Risks and Implications

Joseph Rooke, director of risk insights at Recorded Future's Insikt Group, warned that the latest breach underlines the risks luxury brands face as prominent targets for cybercrime. Attackers are drawn to these companies not only because of their global recognition but also because their customer bases include high-net-worth individuals whose personal details can be especially valuable.

"Attackers are attracted to these companies because of the potential to exploit this information and commit follow-on fraud," Rooke noted. The exposure of customer spending data could increase the risk of follow-on attacks, particularly if the information is sold on the dark web to other criminal actors.

A Growing Pattern

The attack on Kering follows a number of incidents affecting high-profile fashion brands in recent months, including Dior, Adidas, Louis Vuitton, Cartier, Chanel, Pandora, and Victoria's Secret. All of these incidents have been linked to the ShinyHunters hacking group, which has reportedly compromised Salesforce customer instances using vishing techniques.

A Trend Micro threat researcher noted that the latest reported attack on Kering seems to have occurred before the initial public disclosure that corporate Salesforce instances had been targeted back in June. "The fact that they're only now announcing the Kering breach could signal that more victims are still having their data processed by the group behind the scenes," they warned.

Next Steps

Infosecurity has reached out to Kering for comment, but has not received a response at the time of writing. The incident highlights the need for luxury brands to prioritize cybersecurity and take proactive measures to protect their customers' sensitive information.