Tiffany and Dior Also Hacked... Reluctant Security Investment Despite Repeated Breaches

Recently, a series of hacking incidents have occurred both among global luxury brands and within the domestic retail industry. Some companies have not even issued notifications about personal information leaks, and have been criticized for being reluctant to invest in personal data protection. In light of the recent hacking incident at SK Telecom, there are growing calls for urgent countermeasures, as public interest in personal information protection has increased.

According to the retail industry on May 31, Tiffany & Co., a luxury jewelry brand under LVMH, experienced a hacking incident on April 8, which resulted in the leakage of some personal information of domestic customers. Tiffany Korea became aware of this incident on May 9, one month later, and recently sent emails to some customers to inform them of the hacking. However, the company did not post any separate announcements regarding the incident on its homepage or social networking services (SNS).

This is not the first time that LVMH has suffered from a hacking incident. Previously, on May 13, Dior, another luxury brand under LVMH, sent emails to customers stating, "On May 7, we discovered that an unauthorized third party had accessed some customer data held by our company," thereby notifying them of the hacking. At that time, Dior explained that customer names, mobile phone numbers, email addresses, and postal addresses had been leaked. However, the company clarified that financial information, including bank details and credit card information, was not included in the breach.

Hacking incidents targeting domestic retail companies have also continued. In January, GS Retail announced that it had identified signs of a hacking attack that led to the leakage of personal information of about 90,000 GS25 convenience store members. Further analysis revealed that from June 21, 2023, to February 13, 2024, approximately 1.58 million customer records were leaked from GS Shop, a home shopping company. Black Yak also suffered a hacking attack in March, which resulted in the leakage of personal information of about 340,000 people. In March, there was also a hacking attempt at CJ Olive Young, a health and beauty retailer under CJ Group.

According to the Korea Internet & Security Agency (KISA), the number of reported cyber threat incidents in Korea increased by 48%, from 1,277 cases in 2023 to 1,887 cases last year. In the first half of last year, there were 899 cases, up 35% from the same period the previous year, and in the second half, there were 988 cases, a 61% increase year-on-year.

Frequent hacking incidents in the retail industry have been attributed to the use of simple login methods. It is reported that many of the personal information leaks in the retail sector this year have resulted from "credential stuffing" attacks. Credential stuffing is a method in which hackers use leaked login credentials?such as IDs and passwords?and try them randomly on websites or apps. If they succeed in logging in, they steal personal information. The more frequently the same ID and password are used across multiple sites, the more vulnerable the security becomes.

In fact, the hacking incident at CJ Olive Young in March is believed to have involved a credential stuffing attack, with login attempts from more than 60,000 IP addresses over approximately five hours.

The "quick purchase" feature, considered the greatest competitive advantage of domestic e-commerce platforms, has led to the adoption of simple login systems, which in turn have increased the risk of hacking. To prevent personal information leaks caused by hacking, it is necessary to enable multi-factor authentication or introduce dual login procedures in the login process. However, making the login process more complex can lead to customer attrition, which has resulted in insufficient investment in related security measures.

In fact, major retail companies have been found to invest less in information security and employ fewer personnel in this area compared to other industries. According to KISA, as of the end of 2023, the average ratio of information security investment to IT investment among all companies that disclosed such information was 6.11%. In contrast, major retail companies such as GS Retail (1.9%), CJ Olive Young (4.1%), and Lotte Shopping (4.8%) had lower ratios than the average.

The same is true for security personnel. During the same period, the average ratio of information security personnel to IT personnel among all companies that disclosed such information was 6.26%. However, GS Retail (3.9%), CJ Olive Young (2.2%), and Lotte Shopping (3.25%) all fell short of this average.

Park Chunsik, professor of information security at Seoul Women's University, stated, "Retail companies that handle large volumes of customer personal information must pay special attention to preventing information leaks." He added, "The fact that both investment and personnel in information security fall below the average is an example of management's complacent attitude toward personal information protection." He emphasized, "Even if it incurs some costs, strong commitment from management to information security is necessary from a business management perspective."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.