Cyber attacks in the luxury retail sector: legal insights and practical steps for building resilience

Background

The luxury retail sector has become an increasingly attractive target for sophisticated cyber attacks, with several high-profile brands experiencing data breaches in the past year. The recent data breach affecting Kering, the French parent company of Gucci, Balenciaga and Alexander McQueen, has once again highlighted the persistent cyber risks facing luxury retailers. 

This incident is the latest in a series of cyber attacks targeting luxury brands and other retailers such as the recent Jaguar Land Rover incident. Similar breaches have occurred at Richemont’s Cartier and several labels under LVMH (Louis Vuitton, Christian Dior and Tiffany), including a July 2025 leak affecting approximately 419,000 customers of Louis Vuitton.

This article focusses on key lessons and practical steps businesses can take to build resilience and mitigate the risk of becoming the latest victim of a cyber attack.

The evolving threat landscape

Luxury brands are especially vulnerable to cyber attacks. Attackers are often motivated by the potential to access valuable customer data given the nature of the customers luxury brands serve. An analysis by the BBC of compromised data in the Kering breach reveals that some customers made purchases exceeding $10,000, with a few spending between $30,000 and $86,000. These high net-worth individuals are particularly vulnerable to secondary hacks and scams, including phishing attacks or identity fraud.

While financial data is not always compromised, the exposure of personal and transactional information still presents significant risks, including targeted scams and reputational harm to the brands.

Cyber attacks targeting luxury retailers have become increasingly organised, sophisticated and AI-powered. 

According to reports, the Kering attack was attributed to a group known as “Shiny Hunters.” Whilst Kering has not disclosed the exact method used to access their systems, Google’s cyber security analysts have linked “Shiny Hunters” to a broader threat actor, UNC6040, which is known for targeting enterprise third-party software systems by tricking employees into surrendering login credentials.

Building resilience: practical steps to protect your organisation

The recent surge in cyber attacks in luxury retail is a clear reminder that no organisation is immune to modern cyber threats. These incidents show that cyber security is no longer just an IT issue but a critical business risk that can damage a brand’s reputation and bottom line.

In today’s threat landscape, resilience must be understood as distinct from, and more than mere prevention; it is about ensuring the capacity to respond swiftly and effectively when - not if - a breach occurs. 

While the specifics of each incident may differ, the lessons for organisations handling customer data are fairly consistent. Notably, several breaches have involved vulnerabilities within the software systems of third-party service providers, underscoring the importance of robust due diligence and ongoing audit and oversight of external partners.

Below are some key practical steps businesses can take to build resilience and mitigate the risk of recurring breaches:

1. Conduct regular security audits – undertake systematic assessments, audits and penetration testing of IT infrastructure, including systems managed by third parties. Ensure that audit findings are documented, tracked, and remediated (where necessary).
2. Conduct risk assessments – systematically evaluate the likelihood and potential impact of various cyber threats, including those arising from within and across your supply chain. Use risk assessments to prioritise mitigation strategies and allocate resources where they are most needed.
3. Strengthen incident response plan and crisis management – develop and maintain a clear, well-documented incident response plan, with defined roles, escalation paths, and communication protocols. Regularly test your plan through tabletop exercises and live simulations, including scenarios involving critical third-party suppliers.
4. Enhance supply chain resilience – conduct robust due diligence on all third-party suppliers. Ethically hack (where appropriate) and continuously monitor your suppliers’ systems for vulnerabilities. Include critical suppliers in your breach simulations and incident response exercises to ensure coordinated action during real incidents.
5. Implement multi-factor authentication (MFA) – require MFA for access to all sensitive systems, both internally and for supplier access where relevant. MFA is strongly recommended by the ICO and is now widely regarded as a baseline technical safeguard.
6. Data minimisation – limit the collection and retention of customer data to what is strictly necessary for business purposes. Regularly review and securely delete data that is no longer required, including data held by suppliers. Ensure supplier contracts mandate timely deletion or return of data.
7. Encrypt sensitive information – encrypt all personal and sensitive data at rest and in transit, both within your organisation and when shared with suppliers. Require suppliers to adhere to equivalent encryption standards and provide evidence of compliance.
8. Staff training and awareness – human error remains a leading cause of data breaches. Deliver regular training to all staff, and require suppliers to do the same. Training should address cyber security best practice, phishing and social engineering recognition, and incident escalation procedures. 
9. Monitor for unusual activity – deploy advanced monitoring solutions to detect anomalous activity across your network and those of your critical suppliers. Monitor network traffic, user behaviour, and system logs for signs of suspicious or unauthorised activity. Early detection is critical to limiting the impact of breaches.
10. Governance, regular review and continuous monitoring – establish clear accountability for cyber security and data protection at board and operational levels. Regularly review and update policies, procedures, and technical controls in light of evolving threats, regulatory changes, and lessons learned from incidents and simulations. Foster a culture of vigilance and accountability throughout the organisation and supply chain.

Comment

The evolving cyber threat landscape requires ongoing vigilance, continuous improvement and investment (both in terms of time and money). By embedding strong governance alongside robust technical measures, luxury retailers can better protect their customers’ data, maintain trust, and safeguard their reputation in an increasingly challenging threat landscape. 

For advice on how to protect your organisation and build resilience against cyber attacks, please contact Martin Cook, Madelin Sinclair McAusland, Amanda Leiu, Justin Barrow or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Fraser Campbell and Amanda Leiu.