Data breach exposes luxury brands’ compliance failure

Following a recent hacking incident that compromised customer data at high-end brands including Dior, Cartier, Tiffany, and Louis Vuitton, it has been revealed that these luxury labels failed to appoint designated personnel responsible for protecting customer information in South Korea, despite legal requirements to do so.

An investigation by Dong-A Ilbo revealed that none of the four brands had designated a data protection officer in accordance with Korea’s Personal Information Protection Act (PIPA). The law mandates that foreign businesses with either annual sales exceeding 1 trillion won (approximately US$720 million) or a daily user base of over one million individuals must appoint and publicly disclose a local data protection agent in South Korea.

According to the Financial Supervisory Service, Louis Vuitton Korea reported sales of 1.7484 trillion won in 2024, triggering mandatory compliance. Dior fell slightly below the threshold in 2024, with sales of 945.3 billion won, but exceeded 1 trillion won the previous year (1.0456 trillion won). Richemont, the parent company of Cartier, reported 1.7952 trillion won in Korean sales from April 2024 to March 2025.

“The local agent plays a vital role in monitoring regulatory changes and serving as a communication bridge with the overseas headquarters in the event of a data breach,” explained Professor Yeom Heung-yoel of Suncheonhyang University’s Department of Information Protection. “Without such an agent, it becomes difficult to respond appropriately or comply with local regulations.”

The investigation also revealed further lapses in internal data governance. According to the Personal Information Protection Commission (PIPC), businesses must appoint an individual—not merely a department—as the person responsible for customer data. Tiffany only listed a department, while Louis Vuitton designated a responsible individual only after the breach, on June 10.

Sources in the cybersecurity industry revealed that the affected brands had all used the same cloud-based customer relationship management platform. “We are currently examining whether the breach originated from the service provider or if it was due to the brands’ own negligence,” a PIPC official said.

In contrast to their global luxury counterparts, major South Korean fashion retailers have been more transparent and compliant. For example, LF Corp. has clearly designated its head of customer data management as the responsible officer and has implemented an in-house system for managing personal data.

Experts are now calling for stronger oversight of luxury brands operating in South Korea, citing the heightened sensitivity of their customer base’s information. “The Korean branches of global luxury brands often display a poor awareness of local security standards,” said Professor Lim Jong-in of Korea University's Graduate School of Privacy and Data Protection. “Regulators must take firm action to ensure compliance.” The Dong-A Ilbo reached out to Dior and Louis Vuitton for comment but received no response.


이소정기자 sojee@donga.com