Luxury fashion group Kering, which includes such high-end brands as Gucci, Balenciaga, and Yves Saint Laurent, has recently been hit by a major data breach. Malicious actors hacked Kering’s systems to steal vast amounts of data affecting millions of customers. This includes seven million email logs, according to ShinyHunters, the threat group taking credit for the attack.
Luxury as a High-Value Target
Luxury fashion houses are prime targets for attackers for a variety of reasons. The wealth of these brands and their customers can lead to higher payouts, the prestige of the brand name means that a cyberattack can do significant reputational damage, and access to global customer data enables widespread breaches.
Targeting corporate groups and parent companies with major subsidiaries also enables access to massive amounts of data related to multiple brands and their customers. “Organizations being breached via an attack on a shared parent organization has become increasingly common, as the massive wave of companies breached through the attack on Salesforce has shown,” says Pete Luban, Field CISO at AttackIQ.
The ShinyHunters Factor
The ransomware group known as ShinyHunters has been around since 2020, primarily focusing its efforts on data theft operations. The group has previously launched attacks against major organizations, including luxury brands, such as the recent campaign linked to Salesforce that targeted Google, Adidas, Louis Vuitton, and Chanel. This and other ShinyHunters-attributed attacks have also been potentially linked to the group known as Scattered Spider.
The group has a history of targeting corporations for data theft and extortion, in line with the Kering attack. The contact claiming to be from ShinyHunters negotiating the ransom for the stolen data in this attack disclosed that the data was compromised via the Salesforce CRM, following the pattern of previous ShinyHunters attacks on the industry.
Reputational Damage vs. Operational Risk
The attack on Kering could have serious consequences for the affected brands. Potential fallout for companies like Gucci, Balenciaga, and Alexander McQueen could include the breached data being leaked or sold, leading to severe consequences for the companies and their customers. The brands could lose significant levels of consumer trust due to their inability to prevent the attack, especially as many of their affluent clientele expect a certain standard of security.
The breached data could enable significant further attacks against customers. “Stolen email logs provide a plethora of information that could be weaponized. Email logs typically contain metadata such as sender and recipient addresses, timestamps, subject lines, and sometimes IP information, which can be used to map communication patterns, organizational hierarchy, and business relationships,” according to Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka. “Even without full message contents, this data enables attackers to conduct highly targeted phishing, business email compromise (BEC), and social engineering attacks.”
Cybersecurity in Fashion: A Growing Imperative
Fashion—and luxury fashion in particular—is one of many industries that have been experiencing extreme digital transformation, increasingly relying on online operations as e-commerce continues to grow. This growth, along with the AI explosion of recent years and corporate adoption of AI personalization, heightens cyber risk for organizations.
The traditional brand image of many of these corporations—the idea that they are founded on integrity, quality, and trust—often stands in contrast with modern cyber realities, where large brands are often unprepared to fight threats like this. Fashion brands are not typically associated with cybersecurity, but it is a necessary part of maintaining trust and prestige for these organizations.
Lessons for the Industry
Luxury brands, like other organizations, are highly encouraged to prioritize cybersecurity. In an increasingly digital world, it is crucial for cybersecurity to become a part of the luxury fashion industry’s core identity—in order to be respected and reliable, these brands must focus as much on protecting their customers’ data as providing high-end products.
Fashion houses can take a number of steps to strengthen resilience against attacks like the Kering breach. It is vital to implement measures against ransomware, vet partners and connections to protect against third-party risks, and utilize scanning and detection technology that can identify breaches in progress.
Trust as the Ultimate Luxury
In an era where data breaches can tarnish even the most iconic brands, cybersecurity isn’t optional—it’s the fabric that holds luxury together. It is more important than ever for major fashion brands to invest in and prioritize cybersecurity measures against modern cyberthreats. Attacks are on the rise, as is the e-commerce industry, and protecting against cyberattacks is essential for preventing data breaches and maintaining prestige and consumer trust.
