Full Report
Those readers who aren’t A-listers (including yours truly) may never have heard of Kering, but you may have heard of their high-end fashion brands: Gucci. Yves Saint Laurent. Bottega Veneta. Balenciaga. Alexander McQueen. Brioni. It is some of those fashion brands that are the subject of this post as they fell prey to attacks by... Source
Analysis Summary
# Incident Report: Kering/Luxury Brands Salesforce Data Breaches
## Executive Summary
High-end fashion conglomerate Kering, which owns brands including Gucci, Balenciaga, Brioni, and Alexander McQueen, suffered at least two data breaches attributed to the threat actor ShinyHunters. The attacks targeted their Salesforce environments, resulting in the exfiltration of customer data potentially affecting over 50 million records. Kering has not publicly disclosed the incidents or notified affected parties as of the report date, despite acknowledging significant risks associated with data loss in their internal policies.
## Incident Details
- **Discovery Date:** Not publicly disclosed by Kering; reported by DataBreaches.Net after information received from ShinyHunters (Incident occurred in 2024/prior to July 2025).
- **Incident Date:** Gucci breach occurred in 2024. Second breach (Balenciaga, Brioni, Alexander McQueen) occurred prior to the July 2025 policy update.
- **Affected Organization:** Kering (and subsidiary brands: Gucci, Balenciaga, Brioni, Alexander McQueen).
- **Sector:** Luxury Retail / Fashion
- **Geography:** Global (Customer data noted from various countries).
## Timeline of Events
### Initial Access
- **Date/Time:** Gucci breach occurred in 2024. Second breach occurred sometime before July 24, 2025 (the creation date of Kering's updated security policy).
- **Vector:** Salesforce attacks (specific initial vector not detailed but associated with known Salesforce compromise methods).
- **Details:** Threat actor ShinyHunters gained access to multiple Kering brands' data stored within Salesforce instances.
### Lateral Movement
- Details regarding internal exploitation or lateral movement beyond the initial access vector within the Salesforce/Kering infrastructure are not provided in the source material.
### Data Exfiltration/Impact
- **Gucci:** Reportedly comprised 43,483,137 records. Data fields included Total Sales, Name, Age Range, Birthdate, Emails, Mobile Phone, Address, Identifier, and Created Date (spanning 2017–2024).
- **Balenciaga, Brioni, Alexander McQueen:** Data sampled showed similar customer fields relating to Brand, Sales, Email, and Mobile Phone.
- **Total Scope:** The report mentions "more than 50 million records" across the two breaches.
### Detection & Response
- **Detection:** Discovered by the threat actor (ShinyHunters) who subsequently contacted DataBreaches.Net.
- **Response Actions:** Kering reportedly remained publicly silent and did not disclose the breaches, even after allegedly exfiltrating data months prior. They updated their security policy on July 24, 2025, acknowledging the high risks of breaches, but no public incident response or notification was evident.
## Attack Methodology
- **Initial Access:** Compromise of Salesforce environment(s).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Implied by the apparent lack of timely detection/disclosure by the organization.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Gathering of extensive customer Personal Identifiable Information (PII) and commercial data stored in Salesforce.
- **Exfiltration:** Transfer of data (potentially over 50 million records).
- **Impact:** Loss of customer trust, potential loss of competitive advantage, and potential loss of revenue due to data exposure, as outlined in Kering’s own policy.
## Impact Assessment
- **Financial:** Not estimated, but Kering's policy noted potential revenue loss as a key risk.
- **Data Breach:** Customer PII including names, emails, phone numbers, addresses, birthdates, and sales history. No SSNs or payment card data confirmed in the provided samples for US customers.
- **Operational:** No specific operational disruption mentioned, but risk to e-commerce integrity was cited.
- **Reputational:** Significant risk due to the high-profile nature of the brands (Gucci, Balenciaga, etc.) and the lack of public disclosure following the incident.
## Indicators of Compromise
*Indicators are defanged based on the context that the source does not provide specific IOCs, only affected systems (Salesforce).*
- **Network indicators:** N/A (Specific IOCs not mentioned).
- **File indicators:** N/A.
- **Behavioral indicators:** Successful data extraction from Kering's Salesforce configuration.
## Response Actions
- **Containment measures:** Unknown.
- **Eradication steps:** Unknown.
- **Recovery actions:** DataBreaches.Net was unable to confirm any regulatory notification or customer communication undertaken by Kering or the affected brands.
## Lessons Learned
- Kering possessed formal policies recognizing the severity of information security and the risks associated with theft and disclosure, yet failed to publicly acknowledge or rapidly respond to significant breaches involving millions of records.
- Inadequate visibility or alerting to detect unauthorized large-scale data extraction from critical cloud services (Salesforce).
## Recommendations
- Immediately audit and enhance security controls around Salesforce environments, focusing on MFA enforcement, least privilege access, and continuous monitoring for large-scale data exports.
- Establish clear protocols for timely disclosure and regulatory notification upon confirmation of a data breach, adhering to relevant international privacy laws.
- Implement robust threat hunting procedures that look for post-compromise activity across all cloud platforms hosting customer data.