Millions of customers of luxury brands Gucci, Balenciaga and Alexander McQueen may have had their personal details stolen in a ransomware attack.
The compromised data includes names, email addresses, phone numbers, home addresses and the total amount spent in the fashion houses’ stores worldwide, according to reports.
Kering, the brands’ parent company, confirmed the breach in a statement but did not name the affected labels.
The company said that in June, “an unauthorised third party gained temporary access to our systems and accessed limited customer data from some of our Houses.”
It stressed that no financial information had been taken and said customers whose details were compromised had been contacted directly.
According to the BBC, the hackers behind the attack are the group known as ShinyHunters.
They claim to have obtained data linked to more than seven million unique email addresses, suggesting the number of victims could be similar.
One of the most sensitive fields in the stolen dataset is “Total Sales”, which shows how much each customer has spent. A sample analysed by the BBC revealed some individuals had spent more than $10,000, with a handful between $30,000 and $86,000.
Cybersecurity specialists say this makes the breach particularly concerning: “Not only were emails, phone numbers and addresses taken, but also spending data that could be used to prioritise victims for targeted social engineering or identity fraud,” said Kevin Marriott, senior manager of cyber and head of SecOps at Immersive.
He warned that attackers could use this information to profile wealthier customers as higher-value targets.
Marriott added that the incident reflects a wider trend of high-end retailers being targeted. “The delay in disclosure may have been ShinyHunters negotiating payment to suppress the leak or verifying the dataset’s contents,” he said. “More concerningly, the release could mean they’ve already exploited it and now seek notoriety.”
With ransomware attacks on retailers continuing, Marriott said businesses need to be “confident in their cyber capabilities. Awareness is not enough – enterprises should be continuously stress-testing their defences and drilling all employees against cyber threats.”
He urged Kering to confirm to affected customers that their details had been compromised as soon as possible and to outline clear precautionary measures.
