Personal Information of Dior and Tiffany Customers Leaked
via Software as a Service Platforms
The Personal Information Protection Commission announced on the 1st that it has launched an investigation into data breaches involving Dior and Tiffany, brands under LVMH (Louis Vuitton Moet Hennessy).
According to the Commission, Dior reported that it became aware of a personal information leak that occurred around January only on the 7th of this month. The leaked data included customer information such as names, mobile phone numbers, email addresses, and sales data.
Tiffany also reported that it became aware of a breach that occurred around April on the 9th. It was reported that the leaked customer information included names, addresses, mobile phone numbers, email addresses, and sales data.
The Commission plans to determine the exact scope and targets of the leaks through its investigation. At the same time, it will verify whether there were any violations of the Personal Information Protection Act, including whether technical and managerial safety measures were implemented.
In particular, the Commission is focusing on why there was a significant delay between the occurrence of the incidents and the reporting of the breaches and notification to users. If any violations of the law are discovered, the Commission will take action in accordance with relevant regulations.
According to the Commission, both companies use customer management services based on Software as a Service (SaaS). Both breaches were found to have occurred when personal information was leaked through the use of employee account credentials to access the customer management service. As a result, the Commission also plans to examine the SaaS platforms involved.
A Commission official emphasized, "For companies using SaaS to prevent large-scale personal information leaks, it is necessary to implement access control measures such as applying multi-factor authentication to employee accounts and restricting access by IP address. It is also important to strengthen education, management, and supervision of personnel handling personal information to prevent account theft through phishing and other means."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
