The IT Nerd

It is being reported that fashion luxury brand House of Dior has had a cybersecurity incident which was discovered on May 7. The incident exposed customer information. From Bleeping Computer:

A spokesperson for the firm told BleepingComputer that the incident impacts Dior Fashion and Accessories customers. Currently, cybersecurity experts are investigating the incident to determine its scope.

“The House of Dior recently discovered that an unauthorized external party accessed some of the data we hold for our Dior Fashion and Accessories customers,” stated the spokesperson.

“We immediately took steps to contain this incident. The teams at Dior, supported by leading cybersecurity experts, continue to investigate and respond to the incident.”

Dior clarified to BleepingComputer that the incident did not expose account passwords or payment card information, as these were stored in a different database that remained unaffected.

“No passwords or payment information, including bank account or payment card information, were in the database affected in the incident.”

“We are working to notify relevant regulators and customers in line with applicable law.”

Javvad Malik, lead security awareness advocate at cybersecurity company KnowBe4, commented:

“Dior’s disclosure, while prompt, employs notably measured language regarding the scope of affected data. This careful phrasing “some of the data we hold” leaves considerable ambiguity about the true extent of the compromise, which is problematic from a transparency standpoint.

While the non-exposure of payment information and credentials provides some reassurance, the compromised personal data (names, contact details, purchase history) presents substantial risk. This combination of information creates a perfect foundation for highly targeted social engineering attacks against a particularly affluent customer base. The international dimension of this breach—affecting customers across multiple jurisdictions including South Korea and China—introduces complex regulatory compliance challenges. The reports from Korean media suggesting potential notification failures are particularly concerning, as timely and comprehensive regulatory notification have been a well-established compliance requirement for years.”

The fact that a high profile company such as Dior has been pwned shows that any organization is at risk. And by extension, every organization should take steps to make sure that their exposure to risk is a close to zero as possible.

UPDATE: I received a comment from Yotam Segev, Co-founder and CEO, Cyera:

“This breach appears to stem from a failure in data classification and access controls—Dior confirmed sensitive customer data was accessed, though financial data was not compromised. That points to a lack of centralized, real-time visibility into sensitive data and inconsistent protection policies. Luxury brands are often soft targets: they operate in complex, global environments but lack full data inventories and cohesive protections across markets. With regulatory implications across China and South Korea, this breach is a clear signal that data security posture management (DSPM) must become a boardroom and budget priority.”

This entry was posted on May 14, 2025 at 12:55 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.