Louis Vuitton Extortion Data Breach

Luxury fashion house Louis Vuitton, part of the LVMH Group, experienced a significant data breach involving extortion, affecting customers across multiple countries, including the United Kingdom, South Korea, Turkey, Italy, Sweden, and Hong Kong. The incident was detected on July 2, 2025, when unauthorized access was identified within a database operated by a third-party service provider. Investigations revealed that attackers exploited a compromised “service account” linked to this provider, enabling them to exfiltrate sensitive customer information.
The scope of the breach was most severe in Hong Kong, where authorities confirmed that approximately 419,000 customers were affected. Stolen data included personal identifiers such as names, government-issued identification or passport numbers, residential addresses, email addresses, phone numbers, purchase histories, and product preferences. Importantly, Louis Vuitton clarified that payment card information, banking details, and passwords were not exposed, reducing the risk of direct financial fraud.
In response, Louis Vuitton immediately blocked the unauthorized access, engaged international cybersecurity experts, informed regulators, and began notifying affected customers. The company also pledged to strengthen its vendor oversight and tighten access control mechanisms. Nevertheless, regulators in several jurisdictions, including the Hong Kong Privacy Commissioner and North American authorities, opened investigations to determine whether the company had acted promptly in disclosing the breach.
This event underscored the growing risks luxury brands face in the digital era, where attackers increasingly target not only financial institutions but also consumer databases tied to prestige and high-value clientele. It also highlighted the persistent challenge of third-party supply-chain vulnerabilities, a leading cause of data breaches worldwide.