South Korea’s data protection authority has handed down a combined KRW 36 billion (approximately US$25 million) in administrative fines to the local subsidiaries of three global luxury houses, after finding they failed to implement basic security controls while managing customer data through a SaaS platform.
The Personal Information Protection Commission (PIPC), South Korea’s top privacy regulator, announced on Feb. 12 that it levied a total of KRW 36.033 billion in fines and KRW 10.8 million in additional penalties against Louis Vuitton Korea, Christian Dior Couture Korea, and Tiffany Korea for violations of the country’s Personal Information Protection Act (PIPA). The regulator also ordered all three companies to publicly disclose the enforcement actions on their websites.
The PIPC noted that the data in question — personal information belonging to Korean customers — was collected and processed domestically by the local subsidiaries, placing it squarely within the jurisdiction of PIPA.
Louis Vuitton drew the heaviest penalty at KRW 21.385 billion. In that case, an employee’s device was compromised by malware, allowing threat actors to harvest SaaS account credentials. The breach resulted in the exposure of personal data belonging to roughly 3.6 million individuals across three separate incidents between June 9 and June 13 of last year. Despite having used the SaaS platform since 2013, Louis Vuitton Korea had never implemented IP-based access restrictions or enforced stronger authentication for remote access.
Christian Dior Couture Korea was fined KRW 12.236 billion, plus an additional KRW 3.6 million in penalties. In Dior’s case, a customer service representative fell victim to a voice phishing (vishing) attack and directly provisioned SaaS access to the attacker, leading to the exposure of personal data for approximately 1.95 million individuals. The company had failed to enforce IP-based access controls, had not restricted the use of bulk data export tools, and had not conducted monthly access log reviews — lapses that allowed the breach to go undetected for more than three months. The PIPC also confirmed that Dior missed the statutory 72-hour window for notifying authorities and affected individuals once the breach was discovered.
Tiffany Korea received a fine of KRW 2.412 billion and an additional KRW 7.2 million in penalties. The attack vector mirrored Dior’s: A customer service employee was socially engineered through a vishing scheme and granted the attacker access privileges, resulting in the compromise of personal information for approximately 4,600 individuals. Tiffany likewise lacked IP-based access controls and bulk download restrictions, and failed to report the breach within the required 72-hour timeframe.
The PIPC stressed that SaaS environments used to process personal data qualify as “personal information processing systems” under Korean law. As such, organizations are required to enforce least-privilege access, implement IP-based access controls, and deploy strong authentication mechanisms — including one-time passwords, digital certificates, or hardware security tokens.
“Adopting a Software-as-a-Service solution does not exempt or transfer a company’s obligation to safeguard personal information,” the PIPC said in its official statement. “Data controllers must fully leverage the security features these platforms provide to prevent breaches.”
No Responses