Louis Vuitton, Dior, and Tiffany Fined Around 36 Billion Won Over Personal Data Leaks

by Roh Kyungjo

Published 12 Feb.2026 11:00(KST)

Customer management SaaS hacked
Need measures such as IP access restrictions and authentication methods

Three luxury brands, including Louis Vuitton, have been hit with a total of 36 billion won in administrative fines over personal information leakage incidents.

Lee Jeongryeol, Vice Chair of the Personal Information Protection Commission, is delivering opening remarks at the 3rd plenary meeting held on the afternoon of the 11th at the Government Complex Seoul. Provided by the Personal Information Protection Commission

The Personal Information Protection Commission announced on the 12th that it held the 3rd plenary meeting the previous day and decided to impose a total of 36,033,000,000 won in administrative fines and 10,800,000 won in penalty surcharges on three luxury brand retailers for violating the Personal Information Protection Act, and ordered them to disclose the sanctions on their respective websites.

The companies concerned are Louis Vuitton Korea, Christian Dior Couture Korea, and Tiffany Korea.

The administrative fine imposed on Louis Vuitton amounts to 21,385,000,000 won. An employee device was infected with malware, and the account credentials for a Software-as-a-Service (SaaS) platform were stolen by a hacker, resulting in the personal information of 3.6 million individuals being leaked in three separate incidents.

The Personal Information Protection Commission’s investigation found that Louis Vuitton did not restrict access to the SaaS introduced in 2013 for customer management by means such as internet protocol (IP) address controls. It also failed to apply secure authentication methods when personal information handlers accessed the system from outside the company.

At Dior, in 2025 a customer service employee fell victim to a voice phishing scam and granted a hacker access rights to the SaaS platform, leading to the leakage of personal information of approximately 1.95 million individuals. Dior had been operating the SaaS since 2000, but not only did it fail to restrict access rights by IP address or similar means, it also did not block the use of tools that enable mass data downloads.

In addition, because it did not review access logs at least once a month, the company failed to detect the breach for more than three months. After recognizing the leak, it was also confirmed that the company notified the incident only after more than 72 hours had passed without justifiable reason. Accordingly, the Personal Information Protection Commission imposed an administrative fine of 12,236,000,000 won and a penalty surcharge of 3,600,000 won on Dior.

At Tiffany, the personal information of more than 4,600 individuals was leaked, and the sequence of events, as well as the fact that reporting and notification were made more than 72 hours after recognizing the leak without justifiable reason, were the same as in Dior’s case. As a result, Tiffany was ordered to pay an administrative fine of 2,412,000,000 won and a penalty surcharge of 7,200,000 won.

Recently, many companies have been introducing and operating SaaS platforms, citing reasons such as reducing initial build-out costs and improving maintenance efficiency. The Personal Information Protection Commission pointed out that, to ensure the security of SaaS, measures such as granting access rights in a differentiated manner and limiting them to the minimum scope necessary to perform work are required.

Hot Picks Today

"Could I Also Receive 370 Billion Won?"... No Limit on 'Stock Manipulation Whistleblower Rewards' Starting the 26th

It also stressed that companies must restrict IP addresses and similar parameters to control unauthorized access and, when accessing personal information processing systems from outside, must mandatorily apply authentication methods such as one-time passwords (OTP), digital certificates, or security tokens.

한글 기사 보기

This content was produced with the assistance of AI translation services.