|

Gucci and Balenciaga Customer Data Exposed in Massive Kering Breach: What Was Stolen and What to Do Now

ByInnoVirtuoso

If you’ve ever shopped at Gucci, Balenciaga, or Alexander McQueen, this one’s for you. Luxury conglomerate Kering has confirmed a major data breach, and a notorious cyber gang claims it includes 7.4 million email addresses and detailed spending histories. No, not card numbers—but something arguably more dangerous: “Total Sales” figures that map how much individual customers spent, sometimes tens of thousands of dollars. Here’s why that matters—and what to do next.

In this guide, I’ll break down what happened, how the attack worked, the real risks for high-spending customers, and the exact steps you should take today to protect yourself from targeted scams. I’ll also unpack what businesses can learn from this wave of luxury brand attacks and the alarming rise of voice phishing (vishing) used to bypass multi-factor authentication.

Let’s get into it.

Key facts at a glance

  • Kering confirmed a data breach impacting customer records for Gucci, Balenciaga, and other brands.
  • Data reportedly includes names, contact details, addresses, and “Total Sales” amounts—with some customers spending $10,000 to $86,000+.
  • Cybercriminal group ShinyHunters claimed responsibility and says it holds data tied to 7.4 million email addresses.
  • Kering says no payment card numbers were compromised.
  • Attackers used “voice phishing” (vishing), impersonating IT support to trick employees into authorizing malicious apps and bypassing MFA.
  • The FBI has warned about this group, noting a trend of highly targeted social engineering and attacks against Salesforce environments.
  • This is part of a wider campaign targeting luxury brands, including LVMH labels and Richemont’s Cartier, with hundreds of thousands of customers affected across multiple countries.

For source coverage, see reporting by BBC News, Computer Weekly, TechCrunch, and federal guidance from the FBI’s IC3 and CISA.

What happened in the Kering breach?

According to media reports and Kering’s public statements:

  • The attack occurred in April and was discovered in June.
  • The stolen data includes customer names, emails, phone numbers, addresses, and “Total Sales” values.
  • Financial account data (like full card numbers) was not included, per Kering.
  • The attackers claim they engaged in ransom discussions, but Kering says it did not negotiate and refused to pay, following law enforcement guidance.

ShinyHunters—an experienced data-theft and extortion group—claimed responsibility via Telegram. The group is linked to a wave of intrusions across consumer and retail industries. The FBI has warned that ShinyHunters and related crews are using sophisticated social engineering, and specifically “voice phishing,” to defeat multi-factor authentication and gain access to systems.

Here’s the twist: the most sensitive piece of information isn’t the usual—no card numbers or bank logins. It’s spending totals. That may sound less scary, but it can enable precise, targeted scams.

Why “Total Sales” data is uniquely risky

You can change a password. You can cancel a card. But you can’t “reset” your spending history.

Here’s why the exposure of spending totals matters:

  • It highlights high-value targets. If attackers know you’ve spent $30,000 to $86,000 at luxury retailers, you’ll be prioritized for scams.
  • It enables hyper-personalized fraud. Attackers can say, “We’re calling from Gucci regarding your recent $12,500 order at our Fifth Avenue store.” That specificity disarms skepticism.
  • It increases the likelihood of account takeovers. Fraudsters may try to reset passwords on loyalty programs, store accounts, or email accounts tied to orders.
  • It links physical addresses to financial capacity. That combination can lead to attempts at package interception, bogus courier scams, or—rarely but seriously—physical threats.

Let me explain: scammers typically rely on generic lures (“Your package is delayed”). With “Total Sales” data, they can craft emails or phone calls that feel real—right down to store locations and timeframes—because the numbers align with your past shopping behavior. That’s why this breach is different.

How the attackers got in: voice phishing and Salesforce social engineering

The attackers reportedly used “vishing,” calling employees while impersonating IT support to trick them into approving malicious applications or sharing one-time codes. This technique often targets identity and access layers—think SSO providers, OAuth-connected apps, or admin consoles.

Key points:

  • Vishing defeats weak MFA. If an employee approves a malicious OAuth app or reads a one-time code to a “support agent,” attackers can bypass MFA.
  • Salesforce is in the crosshairs. The FBI and researchers have warned about social engineering focused on Salesforce and related platforms. Linked OAuth apps and API keys can open doors to large customer datasets.
  • The group is patient. According to the FBI, groups like ShinyHunters may exfiltrate data and only extort victims weeks or months later.

For background on vishing tactics and how to resist them, read the joint advisory from CISA and the FBI.

The luxury sector is under siege

Kering’s breach isn’t isolated. In 2025, multiple luxury houses reported incidents:

  • LVMH brands (including Louis Vuitton and Dior) disclosed separate breaches, with regional impacts across the UK, South Korea, and Turkey.
  • Richemont’s Cartier confirmed a breach in June.
  • Other retailers, from Victoria’s Secret to Marks & Spencer, have been on target lists.

Why luxury brands?

  • Customer databases are treasure troves of high-net-worth individuals.
  • Even without card data, personal and spending details have high resale value.
  • The supply chain (stores, boutiques, partners, service providers) increases the attack surface.

Security researchers say the focus on spending data suggests a strategic shift: cybercriminals aren’t just chasing payment data anymore—they’re curating target lists for future fraud and extortion.

What data was exposed—and what wasn’t

Based on reports and company statements:

Exposed (varies by individual): – Full name
– Email address
– Phone number
– Postal address
– “Total Sales” figures (cumulative customer spend)
– Possibly store location history and contact preferences

Not exposed (per Kering): – Full credit card numbers
– Bank account numbers
– Passwords (not reported as part of this breach)

What that means for you: You’re not at immediate risk of card fraud from stolen numbers. But you face a high risk of phishing, vishing, loyalty account takeover, and targeted scams leveraging your spending history.

If you’re a Kering customer, do this now

You don’t need to panic—but you do need to act. Here’s your prioritized checklist:

1) Lock down your accounts
– Change passwords for Gucci, Balenciaga, Alexander McQueen, and any Kering brand accounts you’ve used.
– Use a unique, 14+ character passphrase for each account. A password manager makes this easy.
– Enable multi-factor authentication (MFA) wherever available.

2) Protect your email first
– Your email is the reset key to everything else. Use a strong, unique password and MFA (ideally an app or security key, not SMS).
– Consider phishing-resistant MFA like security keys (FIDO2/WebAuthn). See the FIDO Alliance for options.

3) Expect targeted phishing and vishing
– Don’t click links in “order problems,” “refunds,” or “account verification” emails or texts—go to the brand website/app directly.
– If someone calls claiming to be from Gucci/Balenciaga support, hang up and call back using the official number on the website.
– Never read out MFA codes or approve login prompts you didn’t initiate.

4) Monitor financial and identity signals
– Set up transaction alerts with your bank and credit card issuer.
– In the U.S., consider a credit freeze with Equifax, Experian, and TransUnion. It’s free and can block new-account fraud.
– In the EU/UK, watch for new credit applications and consider services that alert you to changes.

5) Safeguard your address and delivery habits
– Consider using parcel lockers or store pickup for high-value deliveries.
– Avoid sharing travel plans or luxury purchases on social media that tie back to your home address.

6) Check if your email is in other breaches
– Use Have I Been Pwned to see if your email appears in known data breaches and enable notifications.

7) Use your data rights
– In the UK, consult the ICO for guidance on accessing, correcting, or restricting your data.
– In France/EU, see CNIL’s overview of rights.
– You can request details on what data the company holds about you and ask for minimization or deletion where applicable.

8) Report scams
– U.S.: report to the FBI’s IC3.
– UK: report to Action Fraud (via gov.uk).
– EU: check your national cybercrime reporting portal or consult Europol cybercrime resources.

It’s okay to feel frustrated—breach fatigue is real. But a few proactive steps now can dramatically lower your risk.

The playbook scammers may use next

Knowing what’s coming helps you block it. Expect:

  • “Refund or order issue” emails and texts: Links to fake portals mimicking Gucci/Balenciaga.
  • “Loyalty points” or “VIP event” lures: Designed to collect login details or payment for fake deposits.
  • “Courier reschedule” SMS: Tries to install malware or capture card info via fake delivery fees.
  • Phone calls from “IT” or “support”: Urgent-sounding requests for account verification, MFA codes, or prompt approvals.
  • Fake charge disputes: “We noticed a $12,475 charge”—crafted to mirror your spending profile and push you to click fast.

Golden rule: If it’s urgent and unexpected, slow down. Verify through official channels.

What businesses can learn: 12 hardening moves that matter now

This breach is a wake-up call for retailers and any company holding sensitive customer data—especially in Salesforce, marketing clouds, loyalty systems, and POS-linked data lakes.

1) Move to phishing-resistant MFA
– Adopt FIDO2/WebAuthn security keys for admins, support staff, and anyone with elevated access.

2) Eliminate push fatigue risks
– Replace “tap to approve” prompts with number-matching and step-up checks for high-risk actions.

3) Lock down OAuth and connected apps
– In Salesforce: restrict who can authorize connected apps, enforce high-assurance sessions, review scopes, and block unverified publishers.
– Monitor app installations and token usage with event monitoring.

4) Shrink access with least privilege
– Limit who can view “Total Sales” or high-sensitivity fields. Use field-level security and data masking.

5) Minimize and segment sensitive data
– Don’t centralize cumulative spend across systems unless it’s essential. Aggregate on demand. Encrypt at rest and in use.
– Shorten retention windows for sales figures and PII.

6) Strengthen identity governance
– Quarterly reviews of users, roles, and access to sensitive reports. Break-glass accounts with out-of-band controls.

7) Train for vishing—then validate with process
– Teach staff to verify callers via internal directories, not caller ID.
– Require ticket numbers and callback via official lines before any MFA resets or app approvals.

8) Add out-of-band verification for critical changes
– For password resets, device enrollment, and app approvals, require a second channel (internal chat, ticketing, or manager sign-off).

9) Instrument the environment
– Log deeply and centrally. Alert on anomalous data exports, report runs, and mass downloads—especially for VIP lists.
– Use UEBA to catch abnormal access patterns.

10) Test with red teams and tabletop exercises
– Simulate vishing to measure resilience. Practice incident response and executive communications ahead of time.

11) Vet third parties
– Audit agencies, boutiques, and partners with access to CRM/marketing platforms. Contractually require MFA, logging, and rapid breach notification.

12) Prepare for regulatory and class-action exposure
– Align with GDPR, PCI-DSS where applicable, and emerging state privacy laws. Document decisions and demonstrate reasonable security.

For deeper guidance, see the Verizon Data Breach Investigations Report, NIST 800-63 Digital Identity Guidelines, and Salesforce’s MFA overview.

Will Kering pay? What refusal means in 2025

Kering says it refused ransom payment and followed law enforcement guidance. That’s consistent with a growing stance: paying doesn’t guarantee deletion, it invites repeat targeting, and it can violate sanctions in some contexts. Law enforcement generally discourages paying.

However, refusal doesn’t end the story. Expect:

  • Data leaks or auctions on criminal forums.
  • Phased extortion—attackers may target executives, VIP clients, or partners directly.
  • Public relations pressures as more details surface.

In plain terms: even when victims do the right thing and refuse payment, customers still need to protect themselves. You can’t control the leak, but you can control your exposure to follow-on fraud.

Could “Total Sales” data fuel physical risks?

It’s a fair question. Luxury spending and home addresses in the same dataset might worry some readers. The most common outcomes are digital (phishing, account takeover), not physical crime. That said:

  • Don’t share delivery times or travel plans publicly.
  • Use pickup points or lockers for high-value items.
  • Consider home security basics (cameras, alarms) and avoid predictable schedules for deliveries.

Practical, not paranoid. The goal is to lower your profile and reduce signals that scammers can exploit.

Regulatory and legal fallout: what might come next

Given the scope and sensitivity of the data, regulators will likely ask hard questions. Under GDPR and similar laws, companies must:

  • Notify authorities and affected individuals within defined timeframes when risk is high.
  • Demonstrate appropriate security measures and data minimization.
  • Provide customers with access and deletion options where applicable.

Outcomes could include investigations, fines, and class actions—especially if security controls, vendor oversight, or data minimization fell short. For consumers, this often leads to extended monitoring support or more transparency from the brand.

How to spot a vishing attempt (and shut it down)

Think of vishing as phishing by phone. The script usually follows the same beats:

  • “Urgent” problem: “We detected suspicious activity; we need to verify your account.”
  • Authority cue: Caller claims to be IT, security, or a brand specialist.
  • Shortcut request: “I’ll send a code; read it back” or “Approve the prompt I just sent.”
  • Time pressure: “We must act now or your account will be locked.”

Your response playbook:

  • Do not provide codes or approve prompts you didn’t initiate.
  • Say you’ll call back using the official number on the company site—then do it.
  • If it’s work-related, verify with your IT helpdesk through your internal directory or ticketing system.

More on avoiding phishing and vishing: UK NCSC guidance.

What happens to stolen luxury customer data?

A few typical paths:

  • Private sale to other criminal groups (for spear-phishing and VIP-target fraud).
  • Targeted extortion against high-spending individuals (“Pay or we leak your purchase history”).
  • Credential stuffing if any passwords surfaced in related incidents (always use unique passwords).
  • Mixed use with data broker leaks to enrich profiles.

You can’t control the underground market, but you can harden your surface area—especially your email, financial accounts, and mobile number.

The bottom line: your action plan

If you’ve shopped at Gucci, Balenciaga, or other Kering brands:

  • Reset passwords and turn on MFA now.
  • Treat unsolicited messages—especially about orders, refunds, or loyalty points—as suspicious.
  • Monitor accounts and consider a credit freeze (U.S.).
  • Use your data rights to get clarity and reduce exposure.

For businesses, the lesson is blunt: invest in phishing-resistant identity, lock down OAuth and CRM access, minimize sensitive analytics like “Total Sales,” and train for vishing. The threat actors are organized, patient, and increasingly focused on data that empowers tailored fraud—not just card numbers.

If you want one takeaway, it’s this: the most dangerous data in 2025 is the kind that makes scams feel personal. Protect it accordingly.

Frequently Asked Questions

Q: Was my credit card information stolen in the Kering breach?
A: Kering has said no payment card data was compromised. The exposed information reportedly includes names, contact details, addresses, and “Total Sales” amounts. Still, watch for targeted scams and monitor your accounts.

Q: Why is “Total Sales” data a big deal if it’s not a card number?
A: It lets attackers identify high-spending customers and craft convincing scams using realistic purchase histories and amounts. That increases the chances victims will trust a fake email or call.

Q: How do I know if my data was affected?
A: Look for official communication from the brand(s) you’ve shopped with. You can also exercise your access rights (GDPR/UK) via the ICO or CNIL. Consider monitoring your email on Have I Been Pwned.

Q: Should I change my passwords?
A: Yes. Update passwords for Gucci, Balenciaga, Alexander McQueen, and related accounts. Use unique, long passphrases and enable MFA.

Q: What is voice phishing (vishing)?
A: Criminals call you pretending to be IT or customer support. They push you to share MFA codes or approve login prompts. Don’t comply—hang up and call back using official numbers. See the joint alert from CISA and the FBI.

Q: Should I freeze my credit?
A: If you’re in the U.S., a credit freeze is a strong preventative step against new-account fraud. It’s free and reversible. Even though this breach didn’t include SSNs or card numbers (based on current info), a freeze offers peace of mind.

Q: I got an email about a refund or VIP event—what do I do?
A: Don’t click embedded links. Go to the brand’s official website or app to verify. If it’s a phone call, ask for a case number and call back via the official support line.

Q: Will Kering pay the ransom?
A: Kering has said it did not negotiate and refused to pay, following law enforcement guidance. Attackers may still leak or sell data. Continue practicing good security hygiene.

Q: How long will the risk last?
A: Breach fallout can persist for months or years, especially with data like spending history. Keep security hygiene routines in place and stay skeptical of unsolicited contact.

Final takeaway

This breach is a turning point. Cybercriminals are moving beyond raw card numbers and toward the data that makes scams believable—like your lifetime spend at luxury brands. If you shop high-end, assume scammers now know it, and harden your defenses accordingly: strong, unique passwords, phishing-resistant MFA, and a “verify first” mindset for any contact about your orders or accounts.

If you found this breakdown helpful, consider bookmarking it or subscribing for more practical, human-first security guides as this story evolves. Stay safe—and stay skeptical.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!