Full Report
On September 11, DataBreaches broke the story that customers of several high-end fashion brands owned by Paris-headquartered Kering had their personal information acquired by ShinyHunters as part of two Salesforce attacks. As we reported, a spokesperson for ShinyHunters claimed to have acquired more than 43 million customer records from Gucci and almost 13 million records... Source
Analysis Summary
# Incident Report: Kering/Gucci/Balenciaga Data Breach via Salesforce Attack
## Executive Summary
Kering, the parent company to luxury brands including Gucci, Balenciaga, Brioni, and Alexander McQueen, suffered a significant data breach in June 2025 stemming from attacks targeting their Salesforce instances. Threat actors, ShinyHunters, claimed to have exfiltrated millions of customer records. Kering confirmed unauthorized access to limited customer data but denied engaging in negotiations or paying a ransom, claims that appear partially contradicted by preliminary evidence shared by the threat actors.
## Incident Details
- **Discovery Date:** On or around June 2025 (when Kering "found" the intrusion). Official public reporting started September 11, 2025.
- **Incident Date:** In June 2025.
- **Affected Organization:** Kering and its brands: Gucci, Balenciaga, Brioni, and Alexander McQueen.
- **Sector:** Luxury Retail / Fashion
- **Geography:** Paris-headquartered (Global impact suggested by customer data theft).
## Timeline of Events
### Initial Access
- **Date/Time:** June 2025.
- **Vector:** Attackers leveraged vulnerabilities in Kering's **Salesforce** systems.
- **Details:** An unauthorized third party temporarily accessed Kering's systems.
### Lateral Movement
- **Details:** Not explicitly detailed, but movement likely occurred within the compromised Salesforce environments housing customer data necessary for data collection.
### Data Exfiltration/Impact
- **Details:** ShinyHunters claimed to have acquired:
- Over 43 million customer records from **Gucci**.
- Almost 13 million records from **Balenciaga**, **Brioni**, and **Alexander McQueen** combined.
- **Negotiation Period:** Alleged negotiations took place between the attackers and a representative claiming to be Balenciaga’s safety manager from June 20 to mid-August 2025.
### Detection & Response
- **Detection:** Kering stated they "found" the intrusion in June 2025. DataBreaches suggests the initial awareness may have come from the threat actor contacting them, as Kering did not self-detect.
- **Response Actions:**
- Reported the intrusion to competent authorities.
- Informed customers in accordance with local regulations.
- Took appropriate measures to secure affected systems.
## Attack Methodology
- **Initial Access:** Exploitation of Salesforce systems.
- **Persistence:** Not explicitly detailed.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Unknown; Kering's statement suggests a quick identification suggests mechanisms eventually worked.
- **Credential Access:** Unknown, but likely involved exploiting configurations or vulnerabilities within the Salesforce environment to access customer records.
- **Discovery:** Unknown reconnaissance techniques used before access.
- **Lateral Movement:** Within the Salesforce infrastructure or associated systems.
- **Collection:** Gathering of customer Personal Identifiable Information (PII).
- **Exfiltration:** Data transferred to the threat actor (ShinyHunters).
- **Impact:** Exposure of customer PII data.
## Impact Assessment
- **Financial:** Kering allegedly refused to pay a demanded ransom of 500,000 euros, although evidence suggests negotiations occurred. Financial cost of remediation and potential regulatory fines are unknown.
- **Data Breach:** **Customer PII** was compromised. Kering stated no financial information (credit cards, bank numbers) or national identification numbers (like Social Security Numbers) were compromised. Total unique customer count remains undisclosed (initial claims suggested over 56 million records across the brands).
- **Operational:** Disruption linked to managing the investigation and communication efforts.
- **Reputational:** Significant negative press coverage due to the scale of the breach and conflicting statements regarding communications with the threat actors.
## Indicators of Compromise
*Note: Specific IOCs were not provided in the article snippet; the following are examples based on the vector.*
- **Network indicators:** (Defanged) Suspicious outbound traffic patterns originating from Salesforce integration layers or API gateways.
- **File indicators:** (N/A specific to this log)
- **Behavioral indicators:** Unusual data extraction volumes from Salesforce instances; communication associated with known ShinyHunters infrastructure (if internal logs were analyzed).
## Response Actions
- **Containment:** Immediately reported the intrusion to authorities and took measures to secure affected systems.
- **Eradication:** Steps taken to address the vulnerability in the Salesforce environment that allowed unauthorized access.
- **Recovery:** Systems secured to prevent recurrence. Customer notification procedures reportedly initiated (though method questioned).
## Lessons Learned
- **Visibility:** Kering (and affected brands) did not self-detect the breaches, relying on external notification (the threat actor).
- **Transparency:** Kering provided inconsistent information to the press regarding negotiations with the threat actor, potentially damaging trust.
- **Scope Definition:** The initial public communication did not clearly state which brands were affected or the total scope of data loss, pending further regulatory filings.
## Recommendations
- **Salesforce Hardening:** Conduct immediate, comprehensive security audits and penetration testing focused specifically on the configuration and access controls of all Salesforce environments.
- **Enhanced Monitoring:** Implement superior logging and alerting for bulk data extraction or abnormal API usage patterns originating from platforms like Salesforce, which act as critical data stores.
- **Mandatory Disclosure Protocol:** Establish clear internal protocols for transparent communication with customers and the public, ensuring all statements reconcile with forensic evidence, particularly concerning ransomware demands and negotiations.