Personal details belonging to 7.4m customers have since joined the stolen data of more than 1.25m other customers of luxury brands.
Luxury conglomerate Kering has confirmed this week a significant data breach affecting millions of customers of its brands.
The breach, which was discovered in June but had occurred in April, involves personal information including names, email addresses, phone numbers, physical addresses, and notably, customers’ total purchase amounts.
According to BBC reports, cybercriminals identifying as Shiny Hunters have claimed responsibility, asserting they hold data linked to 7.4m unique email addresses.
While Kering has reported that no financial data such as credit card details were compromised, the exposure of spending patterns — some customers having spent over US$10,000, with a few amounts reaching between US$30,000 and US$86,000 — raises concerns over potential targeted scams.
The threat group has reportedly contacted Kering to negotiate a Bitcoin ransom, which the firm has denied engaging with, adhering to law enforcement advice by refusing payment.
This incident aligns with a surge of cyberattacks on luxury brands in 2025, including breaches reported by LVMH and Richemont. Security experts warn luxury brands remain prime targets due to their valuable data on high-net-worth customers. The hacking group, also known as UNC6040 in FBI investigations, employs social engineering tactics such as vishing to bypass security controls, intensifying risks for affected individuals.
Kering has announced it has taken steps to strengthen its IT defenses post-incident and also informed impacted customers as required by data protection authorities.
The breach illustrates ongoing challenges that luxury retailers face amid growing sophisticated cyber threats targeting exclusive consumer data for potential fraud and extortion.
Currently, many jurisdictions require organizations to report data breaches to regulators within a specific timeframe—72 hours in the EU under GDPR and 60 days in some US states. However, these regulations do not universally mandate immediate public disclosure, allowing organizations to delay informing the public or affected individuals while conducting investigations and assessments. If cybersecurity laws are this flexible, is “too lax” the new standard?