Cyber criminals have stolen the personal details of potentially millions of Gucci, Balenciaga and Alexander McQueen customers in a ransomware attack on their parent company, Kering.
The luxury group confirmed that in April hackers gained “temporary access” to its systems and accessed customer records, though it insists no financial information such as card or bank details was stolen.
The compromised data includes names, email addresses, phone numbers, home addresses and the total amount customers spent in-store. The hacker behind the breach, who calls themselves Shiny Hunters, claims to hold data linked to 7.4 million email addresses, suggesting a similar number of victims.
Kering said affected customers had been contacted directly, though it has not disclosed how many people were impacted. Legally, companies do not need to make a public statement if they notify individuals individually, but the scale of the breach has raised alarm across the industry.
A small sample of the stolen data, shared with the BBC, included thousands of customer records showing spending habits. Some individuals had spent over $10,000, while others were flagged with totals as high as $86,000. Experts warned this could expose high-spending clients to targeted scams or phishing attacks.
Becky White, Senior Solicitor in Harper James’ Data Protection team, told Business Matters: “While no card or ID details were taken, the exposure of names, contact information and purchase history poses a serious risk. This type of data can reveal who your most valuable customers are, enabling cyber criminals to craft convincing phishing campaigns or target high-net-worth individuals for fraud.”
Shiny Hunters said they approached Kering in June demanding a Bitcoin ransom, but the company denies entering negotiations, saying it had followed law enforcement advice and refused to pay.
“In June, we identified that an unauthorised third party gained temporary access to our systems and accessed limited customer data from some of our Houses,” a Kering spokesperson said. “No financial information — such as bank account numbers, credit card information or government-issued IDs — was involved in the incident.”
Kering added that its IT systems had since been secured and regulators notified.
The breach occurred during a wave of cyberattacks on luxury retailers. Cartier and Louis Vuitton also disclosed customer data leaks earlier this year.
Shiny Hunters, also tracked by Google as UNC6040, has been linked to phishing-style intrusions on corporate Salesforce systems. The group has previously targeted technology firms and government contractors.
Google itself warned in June of attacks by the same collective, which it said tricked employees into handing over login details.
White said the Kering breach was “a wake-up call” for the sector: “Businesses often focus on securing payment details, but underestimate the value of other CRM data — from purchase history to loyalty activity. Under UK GDPR, companies are expected to practise ‘data minimisation’, collecting and retaining only what is strictly necessary.
Whether you’re a global fashion house or a local retailer, investing in robust security and transparent communication isn’t just a legal obligation — it’s how you protect customer trust and safeguard your brand reputation.”
As online sales and app-based retail continue to grow, the luxury sector has become a prime target for hackers, given its wealthy clientele and global customer databases.
