Cybercriminals have stolen personal information belonging to customers of Balenciaga, Gucci and Alexander McQueen, according to the brands’ parent company, Kering.
The French luxury group said the breach exposed customer names, email addresses, phone numbers, mailing addresses and purchase totals from stores worldwide. Financial details, including credit card numbers, were not compromised, the company said.
Kering reported the incident to data protection authorities and notified affected customers by email but did not disclose how many people were impacted, according to a BBC report. The company is not legally required to make the breach public as long as it alerts individuals directly.
A hacking group known as ShinyHunters has claimed responsibility. The group told the BBC it had obtained data tied to 7.4 million unique email addresses and shared a sample of customer records that appeared to be genuine. Some files showed individuals spending tens of thousands of dollars, raising concerns that high-value clients could be targeted in secondary scams if the data is leaked.
ShinyHunters said the breach occurred in April and that it contacted Kering in June, seeking a ransom in Bitcoin. The company denied negotiating and said it has refused to pay, in line with law enforcement guidance.
“In June, we identified that an unauthorized third party gained temporary access to our systems and accessed limited customer data from some of our Houses,” a Kering spokesperson told the BBC. “No financial information – such as bank account numbers, credit card details, or government-issued identification numbers – was involved in the incident.”
The attack came during a wave of cyber intrusions against luxury retailers, including Cartier and Louis Vuitton, though it remains unclear whether those cases are connected.
Google security researchers have also linked ShinyHunters — tracked internally as UNC6040 — to phishing campaigns that trick employees into surrendering login credentials for internal systems, including Salesforce.
Cybersecurity experts warn that stolen information such as names, addresses and purchase histories can be exploited by scammers posing as banks, government agencies or other organizations.
The U.K.’s National Cyber Security Centre advises consumers to stay alert for suspicious messages, avoid urgent demands from callers, and verify contacts by using official phone numbers. It also recommends changing passwords, enabling two-factor authentication, and creating unique logins using three random words.
