Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

French luxury fashion house Dior has begun notifying its U.S. customers of a data breach that compromised personal information earlier this year. The incident, which occurred on January 26, 2025, was discovered more than three months later, prompting internal investigations and external cybersecurity support to assess its scope and contain the damage.

Dior, part of the Moët Hennessy Louis Vuitton (LVMH) group, confirmed that an unauthorized party gained access to a database containing sensitive client information. In notices sent to affected individuals, the company stated that the breach exposed full names, contact details, physical addresses, dates of birth, and, in some instances, passport or government identification numbers and Social Security numbers.

The company has clarified that no payment-related information, including bank account or credit card details, was stored in the compromised database. Following discovery of the incident on May 7, Dior engaged third-party cybersecurity experts and informed relevant law enforcement authorities. The brand also took immediate steps to contain the breach and has since found no evidence of further unauthorized access.

To mitigate potential risks for affected customers, Dior is offering a complimentary 24-month credit monitoring and identity theft protection service. Eligible individuals must enroll by October 31, 2025. The notification urges recipients to remain cautious, monitor their financial accounts for unusual activity, and be alert to phishing attempts.

The January breach had previously been linked to customer data compromises in South Korea and China. It now appears that the same cyberattack has also impacted Dior’s U.S. clientele.

The broader scope of the incident may include other LVMH brands. Louis Vuitton, also part of the conglomerate, recently disclosed similar breaches affecting customers in the United Kingdom, South Korea, and Turkey. Sources familiar with the matter suggest that both Dior and Louis Vuitton were affected by a coordinated cyberattack, allegedly carried out by the Shiny Hunters extortion group. The attackers are believed to have accessed customer data by breaching a third-party vendor's systems.

Although Dior has not yet disclosed the number of U.S. customers impacted, and the company has not responded to further requests for comment, cybersecurity analysts expect that Louis Vuitton may soon issue a similar notification to its American customers.

LVMH, which owns several high-profile luxury brands, has faced increasing scrutiny over the security of its digital infrastructure. With annual revenues exceeding $12 billion for Dior alone, the breach underlines growing concerns about data protection in the global luxury sector.