Fashion’s Cybersecurity Target: A Year of Breaches at Adidas, Kering, and LVMH

In a world marked by technology, where ecommerce has not stopped growing in decades, the supply chain is crossed by Artificial Intelligence (AI) and machine learning and data has become an asset as valuable as stock, cybersecurity has fully entered the center of companies’ agendas. Cyber-attacks attack any sector with a high volume of transactions, making the fashion industry a very attractive target.

Cyber attacks over the last few years have increased to the point of being one of the main nuisances for companies in all sectors, from sports to beauty, with a special incidence in luxury. By 2025 alone, the estimated cost to businesses of cyberattacks will reach $10.5 trillion, up 300% from a decade ago, according to the latest data from McKinsey.

Although response time to cyber risks has decreased in recent years, it still takes companies an average of 73 days to contain an incident. In 2024, companies will spend approximately $200 billion on cybersecurity products and services, up from $140 billion in 2020. The third-party vendor cybersecurity market is forecast to grow 12.4% annually between 2024 and 2027, surpassing historical growth levels, as organizations look to reduce attacks.

Security attacks average $5 million per incident, up 138% from 2023

More and more groups are using artificial intelligence to optimize their operations, risking inadvertently introducing cyber threats into the system, generating a growing demand for advanced cybersecurity solutions. AI is expanding what already represents a $2 trillion business opportunity for cybersecurity vendors.

Phishing, enterprise email vulnerabilities and credential theft lead to security breaches costing large groups an average of $5 million per successful incident, up 138% by 2023. Who have been the big victims of hackers in fashion?

Attack schedule

Since 2024, in a sort of advent calendar, companies in the fashion and cosmetics sector have been hit by numerous cyber-attacks which, in the worst cases, have involved the publication of private data of these companies’ customers by cyber-criminal groups and the paralysis of their platforms for days.

Just over a year ago, in September 2024, the Spanish fashion retail group Tendam suffered a cyber attack in which cybercriminals gained access to more than 720 gigabytes of information, which could contain compromised customer data. Through the unauthorized access, the perpetrators of the attack demanded the company to pay €800,000 to prevent information from being leaked.

Marks&Spencers suffered a security breach in March, forcing the group to pause online ordering.

During the third month of the current financial year, the British fashion industry suffered three attacks in just two weeks. Co-op Group suffered an attack in which, months later, the extent of the incident was revealed, affecting the data of more than 6.5 million members, including names, addresses and contact details, however, the company assured that no financial data was affected.

It was followed by Marks&Spencers, which suffered a similar security breach, causing its website to crash for weeks and forcing the group to pause its online ordering, which is estimated to have cost the company up to $404 million. This was in contrast to Harrods, which was the victim of a security breach with minimal impact, although it did have to briefly restrict access to its website. The latter three cases were linked, as it emerged in early July, when the UK’s National Crime Agency arrested four suspects common to all the incidents.

Victoria’s Secret also suffered one of the most costly attacks for the company, which had to shut down its website for four days in May, resulting in its shares falling by up to 8% on the stock market.

In the world of sports equipment, security attacks have ranged from Adidas, the victim of one last May, when the company said that its customers’ bank details were safe, to The North Face, which notified its customers in June that their personal data had been stolen in a computer attack that took place in April, assuring them that no payment card information had been affected. The smallest of the impacts was received by Decathlon, which last May was forced to carry out an analysis of the latest leak of which it was victim, although it only affected the e-mails of its employees.

The case of luxury

This type of incident has been particularly rampant among companies in the luxury sector. Dior, owned by LVMH, was in the spotlight during the month of May, when it announced that it had suffered a cyber-attack in the Chinese market and assured that no financial data had been affected during the attack, and that the perpetrator had not accessed the entire database. In this case, there has been a denouement: the luxury firm owned by the French group LVMH is facing the accusation of the Chinese authorities about the illegal transfer of personal data of its customers from its branch in Shanghai to its headquarters in France. The public security authority has imposed an administrative sanction against the company.

A month later, LVMH was also a victim of the data breach. The attack on the group affected 419,000 customers, including names, passport details, addresses and email addresses, as well as phone numbers, purchase history and product preferences also from its Asian market.

Cartier, Chanel and Gucci have all been victims of data breaches in recent months.

The luxury jewelry sector is also being targeted by cybercriminals. Cartier suffered a hack on its website that resulted in the theft of customer data, although no financial information was accessed. Weeks later, Pandora notified its customers that their personal data had been stolen, such as names and email addresses, but no passwords, financial data or similar sensitive information was compromised.

During August, Chanel was again the victim of a data breach, following another attack just a month earlier. The French company said the incident involved a Chanel Inc. database in the United States, hosted by an external service provider, without affecting the group’s operations.

The luxury conglomerate that joins the list of those affected this September is Kering, which has confirmed having been the victim of a computer attack attributed to the Shiny Huntes group, in which they stole data on its Gucci brand customers such as names, addresses and total spending in the company’s stores, as well as other brands of the company, such as Balenciaga or Alexander McQueen.

The cyber-attacks on Clarins resulted in the publication of information on more than 600,000 customers.

In the world of luxury cosmetics, the Clarins database suffered a data breach attack, which ended up being published on the blog of the group responsible for the cyber-attack, Everest, claiming that they had obtained information on more than 600,000 of the company’s customers, covering the United States, France and Canada.

As a result of the leaks, authorities in each country have taken appropriate action, especially in the Asian market. South Korea’s personal information protection commission has fined Moncler Group 88 million won ($63,200) for large-scale customer data breaches. The incident took place in December 2021 and exposed personal data of more than 230,000 users, including financial information such as card numbers, as well as names and emails.