Dior is latest retailer to suffer data breach

Data stolen from luxury brand’s Fashion and Accessories divisions

Luxury French fashion house Dior has confirmed a cybersecurity incident that resulted in a breach of customers’ personal data from its Fashion and Accessories division.

The breach, which the company says it discovered on 7th May, is under active investigation by cybersecurity specialists.

In a statement provided to BleepingComputer, a Dior spokesperson acknowledged that an "unauthorised external party" accessed certain customer data.

"The House of Dior recently discovered that an unauthorised external party accessed some of the data we hold for our Dior Fashion and Accessories customers," the spokesperson said.

"We immediately took steps to contain this incident. The teams at Dior, supported by leading cybersecurity experts, continue to investigate and respond to the incident."

While the brand has not revealed how many individuals or which countries were affected, signs of international exposure are mounting.

Dior's South Korean website has publicly posted a breach notification, and social media users in China have shared screenshots of similar alerts.

The compromised information includes customer names, gender, phone numbers, email addresses, postal addresses and purchase histories.

According to the notification posted on Dior's Korean online shop, this data may have been exposed during the incident on 7th May. However, Dior has said that more sensitive details, such as account passwords and payment card or banking information, were stored in a separate database and remain secure.

"No passwords or payment information, including bank account or payment card information, were in the database affected in the incident," the company confirmed.

Dior is currently in the process of notifying affected customers and regulatory bodies, although criticism has already emerged in South Korea over alleged delays in notifying all required local authorities.

Korean media report that Dior could face legal scrutiny for not fully complying with the country's data breach reporting laws, which require notifying affected individuals and the regulator within 72 hours of being made aware.

Dior has advised customers to stay alert for potential phishing attempts or fraudulent communications, much like M&S this week. The brand encourages individuals to report any suspicious activity directly to its customer service channels.

"The confidentiality and security of our customers' data is an absolute priority for the House of Dior. We sincerely regret any concern or inconvenience this matter may cause our customers," the company added.

This data breach coincides with Dior's parent company, LVMH, reporting a 3% year-over-year decline in group revenue, amounting to €20.3 billion in the first quarter.

Revenue from China (excluding Japan) fell 11%, leading to a decrease in the region's contribution to total sales from 33% in 2024 to 30%. It remains to be seen if this breach affects sales further.

The incident adds Dior to a growing list of high-profile retailers targeted by cyber criminals in recent months.

British retailer Marks and Spencer recently confirmed that customer data was stolen in an attack that has disrupted its online operations for weeks.

Luxury department store Harrods and food retailer Co-op have also suffered similar breaches.