Luxury fashion company Kering has confirmed a data exfiltration incident in which threat actor Shiny Hunters accessed private customer records for Gucci, Balenciaga, and Alexander McQueen.
The breach, detected in June but occurring in April, exposed personally identifiable information (PII) for an estimated 7.4 million unique email addresses.
Key Takeaways
1. PII and spend data of ~7.4 M luxury-brand customers stolen.
2. High-value shoppers face elevated phishing and SIM-swap risks.
3. Kering notified regulators/customers, refused ransom.
Massive Data Exfiltration
According to Kering’s statement, the attacker gained temporary unauthorized access via compromised internal credentials—likely harvested through a phishing campaign targeting Salesforce SSO portals.
The stolen dataset contains:
- Full name
- Phone number
- Shipping address
- Total sales
No PCI-DSS-regulated data, such as credit card numbers or bank account details, was exfiltrated. Instead, the files include names, email addresses, phone numbers, shipping addresses, and a “Total Sales” field indicating each customer’s cumulative spending.
Analysis of a proof-of-concept sample revealed spend tiers ranging from $10,000 to $86,000 per individual, heightening concerns over targeted whaling and spear-phishing.
Kering has notified relevant data protection authorities under GDPR Article 33 and communicated directly with affected customers via email.
Under EU regulations, firms need only publicly disclose breaches if the incident poses a high risk to data subjects—Kering maintains its direct notification obligations have been met.
Shiny Hunters’ Ransom Demands
BBC reports that the attacker, self-identified as Shiny Hunters, claimed to have negotiated a ransom in Bitcoin (BTC) with Kering beginning in June via Telegram.
Kering denies any paid negotiations and confirms adherence to law-enforcement guidance to refuse ransom payments.
In parallel, Google’s Threat Analysis Group attributes a similar campaign tracked as UNC6040 to Shiny Hunters, noting exploitation of stolen API tokens and misuse of OAuth scopes to harvest credentials from other major firms.
This pattern underscores evolving TTPs (Tactics, Techniques, and Procedures), including:
- Credential theft via social engineering
- Abuse of third-party CRM integrations
- Exfiltration through encrypted channels
Security experts warn that leaked PII combined with customer spend profiles could facilitate secondary intrusions—such as account takeover or SIM swapping, especially against high-value targets.
Victims should assume scammers may impersonate legitimate organizations using stolen PII. Recommended mitigations include:
- Enable multi-factor authentication (MFA) on all accounts.
- Use unique, randomly generated passwords (e.g., passphrases of three random words).
- Monitor credit reports and set up alerts for suspicious activity.
The NCSC advises resetting passwords and reviewing account recovery settings for all email and e-commerce profiles. Remaining vigilant against unsolicited calls or emails demanding urgent action can help thwart follow-on fraud.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
