Louis Vuitton drew the heaviest penalty at KRW 21.385 billion. In that case, an employeeβs device was compromised by malware, allowing threat actors to harvest SaaS account credentials. The breach resulted in the exposure of personal data belonging to roughly 3.6 million individuals across three separate incidents between June 9 and June 13 of last year. Despite having used the SaaS platform since 2013, Louis Vuitton Korea had never implemented IP-based access restrictions or enforced stronger authentication for remote access.
Christian Dior Couture Korea was fined KRW 12.236 billion, plus an additional KRW 3.6 million in penalties. In Diorβs case, a customer service representative fell victim to a voice phishing (vishing) attack and directly provisioned SaaS access to the attacker, leading to the exposure of personal data for approximately 1.95 million individuals. The company had failed to enforce IP-based access controls, had not restricted the use of bulk data export tools, and had not conducted monthly access log reviews β lapses that allowed the breach to go undetected for more than three months. The PIPC also confirmed that Dior missed the statutory 72-hour window for notifying authorities and affected individuals once the breach was discovered.
Tiffany Korea received a fine of KRW 2.412 billion and an additional KRW 7.2 million in penalties. The attack vector mirrored Diorβs: A customer service employee was socially engineered through a vishing scheme and granted the attacker access privileges, resulting in the compromise of personal information for approximately 4,600 individuals. Tiffany likewise lacked IP-based access controls and bulk download restrictions, and failed to report the breach within the required 72-hour timeframe.
