South Korea’s stringent data protection regulator has imposed significant penalties on the Korean subsidiaries of three major luxury fashion brands — Louis Vuitton, Christian Dior, and Tiffany & Co. — after widespread customer data breaches exposed millions of users’ personal information.

Enforcement Action by the Personal Information Protection Commission

On February 11, 2026, the Personal Information Protection Commission (PIPC) — South Korea’s central privacy authority — held a plenary session and approved administrative fines totaling around 36.03 billion won (approximately $24.9 million USD) against the three companies, citing violations of the Personal Information Protection Act (PIPA).

The official PIPC press release detailed the regulator’s findings, saying all three firms mishandled their use of software-as-a-service (SaaS) customer management platforms, which ultimately led to unauthorized access and the leakage of personal data. The commission also ordered the companies to publish notice of their penalties and breaches on their business websites.

Breakdown of Penalties and Lapses

• Louis Vuitton Korea received the largest fine of roughly 21.38 billion won (about $16.4 million USD). According to PIPC, attackers stole SaaS account credentials from an employee’s malware-infected device, allowing data on approximately 3.6 million customers to be accessed and leaked. Security controls such as IP-based access restrictions and robust authentication methods were reportedly lacking.
• Christian Dior Couture Korea was fined about 12.23 billion won (around $9.4 million USD) after a voice-phishing attack tricked a staff member into granting access to the SaaS system. This breach exposed the personal information of nearly 1.95 million users. PIPC noted the company failed to implement basic safeguards like access-logging reviews, download restrictions, and timely breach notifications (required within 72 hours under PIPA).
• Tiffany Korea faced a penalty of 2.41 billion won (about $1.85 million USD) after a similar phishing incident led to the exposure of some 4,600 customers’ personal data. Like Dior, the company lacked sufficient technical limits on downloads and delayed notifying authorities.

Scope of the Data Breaches

Across all three breaches, exposed information included personal identifiers such as names, email addresses, phone numbers and other customer details related to their interactions with the brands. Authorities underscored that while some attacks stemmed from phishing or malware, the root causes often involved insufficient implementation of basic security best practices and failure to meet legal compliance obligations.

Regulatory Takeaways

The PIPC’s actions send a clear message that international brands operating in South Korea are subject to the country’s robust privacy laws. These regulations are enforced under the Personal Information Protection Act, a comprehensive data protection regime designed to safeguard individuals’ privacy rights and mandate strict reporting and security standards for personal data handlers.

PIPC stressed that simply relying on cloud-provided SaaS solutions does not absolve companies of responsibility for safeguarding customer data; firms must apply all available safety controls, including secure authentication, access supervision, and network restrictions, to prevent unauthorized access.