High-end heist: Australians caught up in Louis Vuitton data breach

The Age

5 days ago

'The Louis Vuitton breach is just the latest in a string of cyber incidents for the sector, with big names like Tiffany, Dior, Adidas, Victoria's Secret and Cartier disclosing incidents since just April. Ransomware group ShinyHunters is likely behind some, but not all of these.'
Loading
ShinyHunters, which was formed in 2020 and named after a Pokemon, has claimed credit for some of the most significant data breaches globally, affecting millions of people including Australians. It hasn't yet claimed responsibility for the Louis Vuitton breach.
'ShinyHunters' MO is stealing large datasets. Often, they sell these datasets to other criminals; sometimes, they leak them as a publicity stunt,' Mansted said.
She said CyberCX was seeing far fewer businesses in Australia, and globally, pay ransoms to cybercriminals. The criminals aren't stopping, however, but are instead operating in sectors and places more willing to pay ransoms or changing their service offerings. Some are reverting to stealing and selling data to make money.
'The retail sector is in a sweet spot for cybercriminals,' she said.
'The sector hasn't faced the same regulatory pressure to uplift cyber maturity as banks, telcos and other critical providers. But at the same time, it holds huge consumer datasets. These datasets are highly valuable – whether transacted by powerful data brokers, or unlawfully on the dark web by criminals.
'The high-end retail heist also highlights a growing problem confronting all businesses: third-party cyber risk. We're still understanding these incidents, but it's very possible that the source of at least some of these breaches is a third-party vendor commonly used across the sector.'
Australian companies now face fines of up to $50 million for serious breaches of the Privacy Act, after high-profile data breaches affected Optus and Medibank customers. The Office of the Australian Information Commissioner was contacted for comment.
The latest breach comes after 5.7 million Qantas customers had their information accessed by hackers this month, including information on frequent flyer accounts, addresses and food preferences. The airline said last week it had found no evidence yet of stolen data being released, but it was 'actively monitoring'.
Cybersecurity researcher Jamieson O'Reilly said while no passwords or financial data had been taken, the scope of stolen Louis Vuitton data still presented significant opportunities for exploitation.
'That is especially true when the breached entity is a high-profile luxury brand with a highly engaged and brand-loyal customer base,' he said.
Jamieson, who runs cybersecurity consultancy DVULN, said he had already noticed online chatter and victim reports indicating that Louis Vuitton customers had received phishing emails impersonating the company.
'Notably, this email referenced a known artist, Clara Bacou, who previously published conceptual NFT artwork for Louis Vuitton back in 2021,' he said.
Loading
'Anyone who searched the artist's name would find legitimate links tying her to Louis Vuitton, giving the email a false sense of authenticity. Combined with accurate customer data from the breach, the setup is precise enough to fool even security-aware recipients.'
He said it was highly likely that threat actors are already using the stolen data for nefarious purposes.
'While breaches are frequent, that does not make them acceptable,' he said.