Kering, the owner of Gucci, Balenciaga and Yves Saint Laurent, said that it had been a victim of the hacking collective ShinyHunters in an intrusion that compromised data related to its luxury houses. The incident is part of a broader campaign against companies that use cloud-based CRM platforms. Kering says it alerted authorities and affected parties, and that no banking or card information was compromised.
What Was Accessed, and How Many Were Affected
Data connected to about 7.4 million customers was compromised, according to reports cited by the company and BBC News coverage. Information that is exposed includes names, email addresses, phone numbers, physical addresses and spending/purchase details. Kering said that no payment card numbers, bank or government ID numbers, or in-store customer information details were compromised in the attack, and that mitigation steps have been put in place to limit additional impact on systems.
And because Kering does business across many brands and countries, such exposure includes shoppers of a variety of high-end labels — not just Gucci. The company said it has been notifying those affected and cooperating with regulators in places where notification is mandatory under privacy laws.
A Supply-Chain Strike on CRM Infrastructure
ShinyHunters has recently honed in on hacking data located within third-party software-as-a-service environments.
Here, the victim was customer data being held in a CRM system, with other reports linking other widely known companies as victims during that same period. The group allegedly breached the company’s systems in the spring, and weeks later tried to extort it over an online channel; Kering says it refused to pay and took steps to limit the breach.
These attacks highlight a structural challenge: Companies can harden their own networks but still be compromised through partners and vendors that handle sensitive data. Both identity and session management in SaaS ecosystems, including OAuth integrations and API tokens, have emerged as lucrative targets for criminal gangs looking to go big.
Why Luxury Brands Are Especially Attractive Targets
High-end retailers keep wealthy customer profiles — contact information, preferred stores and stylists, spending tiers — which they use to power the white-glove service. The same data, in the hands of criminals, powers customized phishing and account-takeover attacks. A convincing email that makes reference to a purchase or recent boutique visit is going to be much more successful in duping a customer into coughing up their credentials or one-time passcodes than a generic lure.
Recent attacks on other luxury houses, as well as peers of Kering in the jewelry and fashion world, indicate that attackers have increasingly set their sights on those with ample means whose accounts and loyalty points can be converted into money rapidly. Scammers can also pivot deeper into retail systems by targeting store associates and clienteling tools.
Regulatory and Financial Exposure Facing Kering
For a France-based conglomerate such as Kering, EU data protection regulators will likely examine timing and scope of notification as well as mitigation steps against the backdrop of EU rules that authorize fines of up to 4 percent of global annual revenue for serious infringements.
Regulators in Britain or other markets where its customers are based may also be involved. Class action activity is common post large retail exposures involving purchase histories.
The larger price is almost never merely technical. IBM’s latest Cost of a Data Breach Report put the global average incident cost in the multi-millions range, as response, legal fees, notification and customer churn all come into play. And, for luxury houses, there is reputational damage that can drag on VIP relationships that are disproportionately valuable to the bottom line.
What Customers Should Do Now to Protect Themselves
Impacted shoppers should be especially wary of unsolicited calls or emails that mention orders, repairs, or loyalty benefits. Don’t click links — access accounts by typing the brand’s website yourself, or opening the official app. Enable multifactor authentication if it’s offered, establish per-transaction alerts on payment cards and monitor statements for unauthorized charges. Take free credit monitoring if offered. Be extra wary of one-time code requests — banks and retailers don’t ask you to disclose OTPs over phone calls and emails.
The Bigger Picture: ShinyHunters’ Playbook
ShinyHunters is also well known for stealing massive amounts of data and then publicizing claims on breach forums and messaging channels in an effort to pressure victims into paying. The turn to stolen data in common business platforms is part of a broader shift that we are seeing across indicator-of-compromise (IOC) infrastructure: attackers go after identity and trusted third parties because it’s where the access — and the data — pools. Stolen credentials and supply-chain vulnerabilities consistently appear among the top breach enablers, according to industry reports — including those released each year by Verizon and ENISA.
Enterprises could have three or four key takeaways:
- Treat SaaS environments and partner networks as an extension of your corporate network.
- Document all those integrations.
- Apply least-privileged access, conditional access and token lifecycle management checks for authentication services.
- Monitor for unusual data export activity or logins that represent a change to normal behavior — and consider these risks before they happen.
For Kering and its peers, it will be just as important for brand equity as any runway show to shore up these controls.