- Dior begins to send non -compliance notification letters after the attack
- Explained what happened and what data were stolen
- The company urges customers to maintain a maximum alert for phishing and identification theft.
Global Fashion Powerhouse Dior has begun to send data violation notification letters to customers impacted by a January 2025 cyber attack.
The one described to the clients what happened, what type of data were taken and what did the incident contain.
He also offered free identity and credit monitoring services for 24 months, through Experian Identity Works SM Credit Monitoring.
Korean and Chinese objectives
The incident occurred on January 26, 2025, but was only discovered on May 7. Dior responded by notifying the police and bringing third party experts to evaluate the situation.
The analysts determined that the threat actors accessed a database containing customer information, including complete names, contact information, postal addresses, birth dates, passports and government identification numbers, and Social Security numbers (SSN).
The combination of stolen information varies from person to person, but Dior emphasized that the payment information, including the information of the bank account or the payment card, was not stolen since it was not in the database to begin with.
In response to the attack, the company “improved network security” without going into more details.
Unfortunately, the damage was already done, and the attackers now have a lot of information to use in specific attacks. Information such as names, email addresses, birth dates and government identification information can be used to create personalized and convincing phishing attacks, especially because attackers know that victims are Dior clients.
Dior also knows, so that in the letter also recommends that users “remain attentive to fraud and identity robbery incidents.”
“We also recommend that you continue to review your financial accounts, account account states and free credit reports for any suspicious activity.”
This seems to have been an international incident, since at least Korean and Chinese clients seem to have been affected. In South Korea, Dior could face a lawsuit for not properly notifying the relevant authorities. Currently, no threat actor has assumed the responsibility of the attack, and the stolen data have not emerged on the Dark website.
Through Bleepingcomputer
