In a significant cybersecurity incident, luxury fashion conglomerate Kering has confirmed that unauthorized access led to the exposure of personal data belonging to customers of its renowned brands: Gucci, Balenciaga, and Alexander McQueen. The breach, orchestrated by the cybercriminal group known as Shiny Hunters, was identified in June 2025 but is believed to have occurred in April of the same year.
Scope of the Data Breach
The unauthorized access resulted in the compromise of personally identifiable information (PII) for approximately 7.4 million unique email addresses. The specific data exposed includes:
– Email Addresses: Contact information of customers.
– Full Names: Personal identification details.
– Phone Numbers: Direct contact numbers.
– Shipping Addresses: Residential or delivery locations.
– Total Sales Figures: Cumulative spending amounts per customer.
Notably, sensitive financial information such as credit card numbers and bank account details, which are regulated under the Payment Card Industry Data Security Standard (PCI-DSS), were not part of the compromised data. However, the inclusion of total sales figures, with individual spending ranging from $10,000 to $86,000, raises concerns about potential targeted phishing and spear-phishing attacks aimed at high-value customers.
Method of Unauthorized Access
Kering’s investigation revealed that the attackers gained temporary unauthorized access through compromised internal credentials. These credentials were likely obtained via a phishing campaign targeting the company’s Salesforce Single Sign-On (SSO) portals. By exploiting these credentials, the attackers were able to infiltrate the system and exfiltrate the sensitive customer data.
Response and Regulatory Compliance
Upon detecting the breach, Kering took immediate action to mitigate the impact and comply with regulatory requirements. The company:
– Notified Data Protection Authorities: In accordance with Article 33 of the General Data Protection Regulation (GDPR), Kering informed the relevant authorities about the breach.
– Communicated with Affected Customers: Direct email notifications were sent to all individuals whose data was compromised, providing them with information about the breach and recommended protective measures.
Under EU regulations, public disclosure of a data breach is mandated only if the incident poses a high risk to the rights and freedoms of individuals. Kering maintains that its direct notification to affected customers fulfills its obligations under these regulations.
Ransom Demands and Company Stance
Reports indicate that Shiny Hunters attempted to negotiate a ransom payment with Kering, demanding Bitcoin in exchange for not releasing the stolen data. These negotiations purportedly began in June 2025 via Telegram. However, Kering has firmly denied engaging in any paid negotiations and has adhered to law enforcement guidance by refusing to meet the ransom demands.
Evolving Cyber Threats
The tactics employed by Shiny Hunters in this breach are indicative of evolving cyber threats. Similar campaigns have been attributed to this group, involving:
– Credential Theft via Social Engineering: Manipulating individuals to divulge confidential information.
– Exploitation of Third-Party CRM Integrations: Leveraging vulnerabilities in customer relationship management systems.
– Data Exfiltration through Encrypted Channels: Using secure channels to extract data without detection.
These sophisticated methods underscore the need for organizations to continually enhance their cybersecurity measures to protect against such threats.
Potential Risks to Affected Customers
The exposure of PII, combined with detailed spending profiles, significantly increases the risk of secondary attacks on affected customers. Potential threats include:
– Phishing Attacks: Fraudulent attempts to obtain sensitive information by impersonating legitimate entities.
– Spear-Phishing: Targeted phishing attacks aimed at specific individuals, often using personalized information to appear credible.
– SIM Swapping: A technique where attackers hijack a victim’s mobile phone number to gain access to accounts secured with two-factor authentication.
Given the high-value nature of the affected customers, these risks are particularly pronounced.
Recommended Protective Measures
To mitigate the potential impact of the data breach, affected individuals are advised to implement the following security measures:
1. Enable Multi-Factor Authentication (MFA): Add an extra layer of security to accounts by requiring multiple forms of verification.
2. Use Unique, Strong Passwords: Create complex passwords that are not reused across different accounts. Consider using passphrases composed of random words for enhanced security.
3. Monitor Financial Accounts: Regularly review bank statements and credit reports for any unauthorized activity.
4. Be Vigilant Against Unsolicited Communications: Exercise caution with unexpected emails or phone calls requesting personal information or urgent actions.
The National Cyber Security Centre (NCSC) also recommends resetting passwords and reviewing account recovery settings for all email and e-commerce profiles. Staying alert to unsolicited communications can help prevent further fraudulent activities.
Conclusion
This data breach serves as a stark reminder of the persistent and evolving threats in the digital landscape. Organizations must prioritize robust cybersecurity protocols and proactive monitoring to safeguard sensitive customer information. Simultaneously, individuals should remain vigilant and adopt comprehensive security practices to protect their personal data from potential exploitation.
