Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

South Korea fines Louis Vuitton, Christian Dior, Tiffany $25M for SaaS security failures

South Korea’s data protection authority has handed down a combined KRW 36 billion (approximately US$25 million) in administrative fines to the local subsidiaries of three global luxury houses, after finding they failed to implement basic security controls while managing customer data through a SaaS platform.

The Personal Information Protection Commission (PIPC), South Korea’s top privacy regulator, announced on Feb. 12 that it levied a total of KRW 36.033 billion in fines and KRW 10.8 million in additional penalties against Louis Vuitton Korea, Christian Dior Couture Korea, and Tiffany Korea for violations of the country’s Personal Information Protection Act (PIPA). The regulator also ordered all three companies to publicly disclose the enforcement actions on their websites.

The PIPC noted that the data in question — personal information belonging to Korean customers — was collected and processed domestically by the local subsidiaries, placing it squarely within the jurisdiction of PIPA.

Louis Vuitton drew the heaviest penalty at KRW 21.385 billion. In that case, an employee’s device was compromised by malware, allowing threat actors to harvest SaaS account credentials. The breach resulted in the exposure of personal data belonging to roughly 3.6 million individuals across three separate incidents between June 9 and June 13 of last year. Despite having used the SaaS platform since 2013, Louis Vuitton Korea had never implemented IP-based access restrictions or enforced stronger authentication for remote access.

Christian Dior Couture Korea was fined KRW 12.236 billion, plus an additional KRW 3.6 million in penalties. In Dior’s case, a customer service representative fell victim to a voice phishing (vishing) attack and directly provisioned SaaS access to the attacker, leading to the exposure of personal data for approximately 1.95 million individuals. The company had failed to enforce IP-based access controls, had not restricted the use of bulk data export tools, and had not conducted monthly access log reviews — lapses that allowed the breach to go undetected for more than three months. The PIPC also confirmed that Dior missed the statutory 72-hour window for notifying authorities and affected individuals once the breach was discovered.

Tiffany Korea received a fine of KRW 2.412 billion and an additional KRW 7.2 million in penalties. The attack vector mirrored Dior’s: A customer service employee was socially engineered through a vishing scheme and granted the attacker access privileges, resulting in the compromise of personal information for approximately 4,600 individuals. Tiffany likewise lacked IP-based access controls and bulk download restrictions, and failed to report the breach within the required 72-hour timeframe.

The PIPC stressed that SaaS environments used to process personal data qualify as “personal information processing systems” under Korean law. As such, organizations are required to enforce least-privilege access, implement IP-based access controls, and deploy strong authentication mechanisms — including one-time passwords, digital certificates, or hardware security tokens.

“Adopting a Software-as-a-Service solution does not exempt or transfer a company’s obligation to safeguard personal information,” the PIPC said in its official statement. “Data controllers must fully leverage the security features these platforms provide to prevent breaches.”

View the full article

User Feedback

Recommended Comments

There are no comments to display.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.