Kering, the France-based parent of luxury brands such as Alexander McQueen, Balenciaga and Gucci, has admitted the personal data of customers has been compromised following an apparent ransomware attack that is being linked to the ShinyHunters hacking collective through a wide-ranging compromise of various Salesforce instances.
The purloined data is thought to comprise personal information including names and contact details, and information on customer spending history. The firm said that no financial or credit card data was affected.
A spokesperson for the organisation told the BBC that the compromise was uncovered in June. They said: “An unauthorised third party gained temporary access to our systems and accessed limited customer data from some of our Houses. No financial information … or government-issued identification numbers, was involved in the incident.”
The BBC additionally reported that Kering says it has refused to pay a ransom. However, via Telegram chat with an alleged ShinyHunters representative claiming the attack, the broadcaster also learned that negotiations have apparently taken place. ShinyHunters apparently breached Kering’s defences in April.
Kevin Marriott, senior manager of cyber and head of security operations at Immersive, said the apparent delay likely indicated some form of negotiation to suppress the leak had indeed occurred – or possibly that the data has now been sold and is being exploited.
Nevertheless, he said, the latest attacks continue a trend of incidents affecting luxury brands, with Kering rival LVMH also being targeted.
“What makes this particular breach so concerning is that not only were emails, phone numbers and addresses taken, but the data related to customer spend may be used to prioritise the customers impacted as targets in further attacks, through targeted social engineering attacks or identity fraud,” said Marriott.
“The latest breach affecting Gucci, Balenciaga and Alexander McQueen underlines the risks luxury brands face as prominent targets for cyber crime,” added Joseph Rooke, director of risk insight at Recorded Future’s Insikt Group.
“Attackers are drawn to these companies not only because of the global recognition of their brands, but also because their customer bases include high-net-worth individuals whose personal details can be especially valuable.”
Controlling the story
ShinyHunters’ use of high-profile national broadcasters to spread its message as widely as possible has been a hallmark of the extensive cyber attack campaign the gang – and associated ‘acts’ like Scattered Spider – have conducted during 2025.
Speaking to MPs in July, Marks & Spencer chairman Archie Norman described the “unusual experience” of learning about new developments in the Scattered Spider attack on the retailer from the BBC, where reporters have been in contact with several of the hackers.
Lee Sult, chief investigator at Binalyze, said that in too many cases, victims were losing control of the narrative and allowing their attackers to cause more harm by showboating in public.
“If attackers control the narrative, they can further damage their targets’ reputation and potentially spread misinformation,” said Sult.
“Getting ahead of this and owning the story means organisations can rebut false claims with confidence. But for this to happen, investigation cannot be something that happens after the dust settles.
“Instead it should be completed in hours instead of days, bringing light into the obscure areas so attackers have less space to make up stories,” he said.
