The Battle Against Cybercrime in High-End Retail

Dior’s breach was discovered on May 7, 2025, and affected customers across several regions. The unauthorized party accessed sensitive information from the Dior Fashion & Accessories client database. Compromised data included personal identifiers and contact details, such as full names, email addresses, phone numbers, postal addresses, and purchase history, but no financial information such as credit card or bank details was accessed.

Just a few weeks after the cyber-attack on Dior, French luxury jeweler Cartier disclosed a data breach in June 2025. In a letter sent directly to affected clients, Cartier revealed that an unauthorized party gained temporary access to its IT system, acquiring limited customer data. Specifically, the breach exposed customers’ names, email addresses, and country of residence. No passwords, credit card numbers, or other financial details were compromised, according to the company’s notice.

• May 7, 2025: Dior breach discovered, involving unauthorized access to customer data.
• May 29, 2025: Victoria’s Secret experiences a cyber incident affecting its operations.
• June 2, 2025: Cartier breach disclosed, with client data compromised.
• June 3, 2025: The North Face reports a credential-stuffing attack impacting customer accounts.
• May 2025: Additional companies such as Tiffany & Co. and Marks & Spencer are reportedly targeted by hackers.

Cybersecurity analysts note a pattern of threat actors shifting focus toward high-end retail companies, attracted by the rich customer data and the high stakes involved. Luxury brands trade heavily on customer trust and exclusivity, so a breach can have an outsized reputation compared to non-luxury retailers. The trend can be considered as a wake-up call: no company, no matter how prestigious, is immune from cyber risk. It also underscores that all retail companies must be prepared to handle data breaches professionally, as the luxury sector becomes a prime target for cybercriminals.

Effective Communication

One key lesson from these incidents is the importance of effective client communication when a breach occurs. Where the breach poses a high risk to affected individuals, Article 34 of the GDPR mandates companies communicate the breach directly and promptly to their customers.

These luxury brands have responded by adopting clear, timely communication strategies to maintain trust. Companies have prioritized prompt notification, reaching out quickly to affected customers via email or official letters as soon as the breach was confirmed. This proactive approach ensures that clients receive information directly from the source.

Both Dior and Cartier went a step further by providing advice and support to their clients. Their communications included guidance on protecting themselves, urging clients to be vigilant and avoid falling for phishing emails that could misuse their personal data.  By offering advice, these companies empowered their customers to mitigate potential follow-on fraud.

Transparency with Clients

Notifications from Dior and Cartier specifically outlined what information was exposed, while also reassuring customers about what remained safe, particularly financial credentials. This transparency helps prevent misinformation and demonstrates the company's commitment to accountability.

Detailed communications ensure legal compliance with Article 34(3) of the GDPR, specifically communications using clear and simple language to explain the nature of the breach, its consequences, and the measures taken. If the controller fails to notify its customers, the supervisory authority may require them to do so. However, such non-compliance risks the authorities considering the omissions of the business when determining the quantity of fines to be imposed.

Reporting Obligations

Both luxury brands took steps to meet their legal reporting obligations, by notifying the respective data protection authorities.  Article 33(1) of the GDPR requires controllers to notify the breach to the appropriate supervisory authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to their customers’ rights.

Article 33(3) requires businesses not only to disclose the nature and scope of the breach, but also to outline the categories of data affected, the number of individuals impacted, and the measures taken or proposed for remediation. By adhering to these requirements, Dior and Cartier demonstrated their commitment to both regulatory compliance and the protection of their clients' personal data, reinforcing trust even in the wake of a security incident.

Security Risk Assessments

Conducting thorough security risk assessments to identify vulnerabilities within a company’s systems and processes is crucial to identify and address security gaps. By proactively identifying potential weaknesses, preventive measures to reduce the likelihood of a breach and strengthen cybersecurity capabilities is the key to a business’ survival in today’s digital world.

Data Protection Compliance

Developing and implementing robust data protection reporting policies ensures business are adhering to their legal obligations under the GDPR. Providing employee training to staff on identifying common characteristics of phishing emails and social engineering tactics, which are often involved in security incidents, further strengthens a business’ cyber security posture.

Incident Response Protocols

As part of proactive cybersecurity measures, businesses must establish clear incident response protocols. Should a breach occur, having predefined procedures in place ensures that the business can act swiftly and effectively to contain the situation. Identifying key systems, key individuals and key steps in the immediate aftermath of a cyber attack may very well save a business’ reputation and operations.

Given the rising threats, preventing breaches and preparing for incident response have become critical priorities for all businesses. Our expertise in cybersecurity and data protection plays a key role in assisting businesses in both proactive risk management and reactive incident handling. Our cybersecurity and data protection lawyers work closely to help businesses assess and prevent risks, establishing a strong foundation for data security.