Cyber criminals have stolen the private details of potentially millions of Balenciaga, Gucci and Alexander McQueen customers in a ransomware attack.
The stolen data includes names, email addresses, phone numbers, addresses and the total amount spent in the luxury stores around the world.
Kering, the parent company of the luxury brands, has confirmed the breach and says it disclosed the incident to the relevant data protection authorities.
The company said no financial information, such as card details, were stolen and confirmed it has emailed affected customers but has not revealed how many were impacted or made any public statements about the hack.
According to the BBC, a group called Shiny Hunters claims to be behind the attack and alleges to have obtained data linked to 7.4 million unique email addresses, suggesting the total number of individual victims could be similar.
A small sample analysed by the BBC as proof contained thousands of customer details which appeared to be genuine.
One of the details in the stolen data is “Total Sales”, which shows how much money a person has spent with each brand. The BBC said that some customers are shown to have spent more than £7,500, with a handful spending £22,500-£65,000 in stores.
This information is particularly concerning for victims as it could lead to high spenders being targeted by secondary hacks and scams if the hackers decide to leak the information to other criminals.
Shiny Hunters appears to be acting alone and told the BBC over Telegram that they breached the luxury brands in April through Kering’s systems.
The hackers contacted the French company in early June and claim to have been in on-off negotiations over a ransom to be paid in Bitcoin. This is denied by Kering, which says it has not engaged in any conversations with the criminals and has refused to pay the hackers in accordance with long-standing law enforcement advice.
“In June, we identified that an unauthorised third party gained temporary access to our systems and accessed limited customer data from some of our Houses. No financial information – such as bank account numbers, credit card information, or government-issued identification numbers – was involved in the incident,” a Kering spokesperson said, adding it has since secured its IT systems.
The data breach, which occurred in April, came during a wave of attacks on luxury brands. Companies including Cartier and Louis Vuitton also disclosed breaches to customers and the public, though it is not known if those attacks are linked to Shiny Hunters.
In June, cyber security experts at Google issued a warning about a trend of attacks linked to Shiny Hunters that the tech giant also subsequently fell victim to. The hackers are known by Google as UNC6040 and have been stealing data by tricking employees into handing over their login details for internal company Salesforce software.
Last month, customers at brands including Chanel and Pandora had their data stolen by hackers.
Pandora assured customers that no passwords, credit card details or similar confidential data was involved in the breach.
