Korean subsidiaries of global luxury brands have been hit with fines ranging from billions to over 20 billion won following customer data breaches. Food and beverage companies that failed to destroy user data past retention periods also face penalties.
The Personal Information Protection Commission announced on May 12 that it imposed a 21.385 billion won ($15.2 million) fine on Louis Vuitton Korea at its plenary meeting held the previous day. Christian Dior Couture Korea received a 12.236 billion won fine plus 3.6 million won in penalties, while Tiffany Korea was fined 2.412 billion won plus 7.2 million won in penalties. The commission also ordered public disclosure of the violations.
According to the commission, Louis Vuitton's employee devices were infected with malware, compromising Software-as-a-Service (SaaS) account credentials. The breach resulted in personal information of approximately 3.6 million customers being leaked across three separate incidents.
At Dior and Tiffany, customer service employees fell victim to voice phishing attacks by hackers, granting SaaS access that led to breaches affecting approximately 1.95 million and 4,600 customers respectively. Dior notably failed to detect its data breach for more than three months.
The commission determined that the incidents stemmed from lax security systems at luxury brands that prioritized cost and convenience. These companies failed to restrict SaaS access by IP address and did not implement secure authentication measures such as one-time passwords, certificates, or security tokens for external access by data handlers.
"Even when companies adopt SaaS solutions, their responsibility to safely manage personal information is neither waived nor transferred," a commission official said. "Data controllers must fully utilize the privacy protection features provided by these services to prevent breaches."
The commission also imposed total fines of 1.566 billion won and penalties of 111.3 million won on 10 food and beverage businesses for privacy law violations, ordering corrective measures and public disclosure.
BKR (Burger King) was fined 924 million won for collecting and using personal information of children under 14 without parental consent. MGC Global (Mega MGC Coffee) received a 642 million won fine after its system automatically registered members as consenting to marketing and sent promotional messages to non-consenting users.
The commission urged immediate destruction of unnecessary personal data at platform operators Wad (Catch Table), Tabling, Yanolja F&B Solution (Dodo Point, Now Waiting), and franchise operators SCK Company (Starbucks), BKR, MGC Global, McDonald's Korea, A Twosome Place, Ediya, and The Born Korea (Paik's Coffee).
These businesses were found to have retained personal information beyond required periods or after fulfilling processing purposes. Cases also emerged of using personal data for marketing without consent and collecting children's information without parental approval.
"This investigation and enforcement is significant in proactively eliminating latent privacy infringement factors and minimizing social costs and damages from data breaches," the commission said.