In April, the cybercriminal group Shiny Hunters breached Kering, the French luxury conglomerate that owns brands like Gucci, Balenciaga, and Alexander McQueen.
The attack exposed the names, email addresses, phone numbers, addresses, and total spending amounts of customers worldwide. Kering has confirmed it refused to pay a Bitcoin ransom demanded by the group.
What customer data was stolen at Shiny Hunters breach?
The stolen data included personal contact information and detailed purchase histories but did not contain sensitive financial data. According to a Kering spokesperson, the breach involved temporary access to their systems.
“In June, we identified that an unauthorized third party gained temporary access to our systems and accessed limited customer data from some of our Houses. No financial information – such as bank account numbers, credit card information, or government-issued identification numbers – was involved in the incident.”
Shiny Hunters claimed to have data associated with 7.4 million unique email addresses. To verify their claim, the group provided a small sample to the BBC, which contained thousands of genuine customer records.
The sample included a “Total Sales” field that documented how much individual customers had spent with each brand. Many customers in the sample had spent over $10,000, with some spending between $30,000 and $86,000. This type of information could be used to target high-value customers in future scams.
Kering’s response to the breach
Shiny Hunters informed the BBC that they first contacted Kering in early June to demand a ransom.
Kering refused to pay, following the advice of law enforcement agencies. After discovering the breach, the company notified the relevant data protection authorities and sent emails to all affected customers.
Under current regulations, Kering was not required to make a public statement about the incident.
Connection to a wider attack trend
The attack on Kering occurred around the same time other luxury brands, including Cartier and Louis Vuitton, reported their own data breaches. It is not clear if these incidents are connected.
In June, Google issued a warning about a series of attacks linked to Shiny Hunters, which Google tracks as UNC6040. The group’s tactics often involve tricking employees into giving up login credentials for internal Salesforce software to steal customer data.
Google confirmed it was also targeted by an attack using these same methods, indicating the group’s sophisticated and widespread operations.
