Kering, a French luxury goods conglomerate, suffered a data breach in April when an unauthorized third party (the cybercriminal group **Shiny Hunters/UNC6040**) gained temporary access to its systems. The attacker exploited compromised employee credentials to access **Salesforce software**, stealing customer data linked to **7.4 million unique email addresses**. The exposed information included **purchase histories (e.g., 'Total Sales' showing individual spending up to $86,000)**, raising concerns about targeted secondary scams against high-value customers. While no financial data (e.g., bank details, credit cards, or government IDs) was compromised, the breach poses significant **reputational and fraud risks**. The hacker demanded a **ransom in Bitcoin**, which Kering refused per law enforcement guidance. The company privately notified affected customers but made **no public disclosure**, despite the breach coinciding with similar attacks on other luxury brands (e.g., Cartier, Louis Vuitton). Google later linked Shiny Hunters to a broader campaign of **phishing-based Salesforce breaches**, highlighting systemic vulnerabilities in employee authentication.
Source: https://www.bbc.co.uk/news/articles/crl5j8ld615o
TPRM report: https://www.rankiteo.com/company/kering
"id": "ker0692106091525",
"linkid": "kering",
"type": "Cyber Attack",
"date": "4/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 7400000,
'industry': 'Luxury Goods',
'location': 'France',
'name': 'Kering',
'size': 'Large (multinational, owns brands like Gucci, '
'Saint Laurent, Bottega Veneta)',
'type': 'Conglomerate'}],
'attack_vector': ['Credential Theft (Salesforce Logins)',
'Social Engineering'],
'customer_advisories': 'Emailed notifications to affected individuals',
'data_breach': {'data_exfiltration': 'Confirmed (sample shared with BBC as '
'proof)',
'file_types_exposed': ['Customer databases', 'Sales records'],
'number_of_records_exposed': 7400000,
'personally_identifiable_information': 'Partial (emails only; '
'no government IDs or '
'financial data)',
'sensitivity_of_data': 'Moderate (no financial/PII like SSNs, '
'but spending habits reveal high-value '
'targets)',
'type_of_data_compromised': ['Personal Data (emails)',
'Transaction Data (Total Sales)',
'Customer Profiles']},
'date_detected': '2023-06',
'description': 'The luxury goods conglomerate Kering suffered a data breach '
'in April, where an unauthorized third party (Shiny Hunters) '
'gained temporary access to its systems and exfiltrated '
'customer data linked to 7.4 million unique email addresses. '
"The stolen data includes 'Total Sales' figures, revealing "
'high-spending customers who may now be targeted for secondary '
'scams. Kering refused to pay the ransom demanded by Shiny '
'Hunters and claims no financial or government-issued '
'identification data was compromised. The breach was part of a '
'broader wave of attacks on luxury brands, including Cartier '
'and Louis Vuitton.',
'impact': {'brand_reputation_impact': 'Moderate to High (luxury brand trust '
'erosion, potential secondary scams '
'targeting high-spending customers)',
'customer_complaints': 'Likely (not quantified; customers notified '
'via email)',
'data_compromised': {'customer_records': 7400000,
'details': ['Email addresses',
'Total Sales (purchase history)',
'Customer spending patterns']},
'identity_theft_risk': 'Low (no government-issued IDs or financial '
'data stolen, but high-spending customers '
'at risk of targeted scams)',
'legal_liabilities': 'None disclosed (company claims compliance '
'with notification requirements)',
'operational_impact': 'Temporary unauthorized access; systems '
'later secured',
'payment_information_risk': 'None (no credit card or bank details '
'compromised)',
'systems_affected': ['Internal Salesforce software',
'Customer databases']},
'initial_access_broker': {'data_sold_on_dark_web': 'Potential (hacker claimed '
'negotiations; no '
'confirmation of sale)',
'entry_point': 'Compromised employee credentials '
'(Salesforce logins)',
'high_value_targets': 'Customer data (especially '
'high-spending individuals)',
'reconnaissance_period': 'Unknown (breach detected '
'in June, occurred in '
'April)'},
'investigation_status': 'Ongoing (company claims systems secured; no further '
'updates)',
'motivation': ['Financial Gain',
'Data Exfiltration for Secondary Exploitation'],
'post_incident_analysis': {'root_causes': ['Social engineering (phished '
'credentials)',
'Insufficient multi-factor '
'authentication (MFA) on '
'Salesforce',
'Lack of early detection (breach '
'undetected for ~2 months)']},
'ransomware': {'data_encryption': 'No (data exfiltrated but not encrypted)',
'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes (amount undisclosed, demanded in '
'Bitcoin)',
'ransom_paid': 'No (company refused per law enforcement '
'advice)'},
'references': [{'source': 'BBC News'},
{'source': 'Google Threat Analysis Group (UNC6040 warning)'}],
'regulatory_compliance': {'regulatory_notifications': 'Customers notified via '
'email (no public '
'disclosure required '
'per legal '
'obligations)'},
'response': {'communication_strategy': {'external': 'Emailed affected '
'customers (no public '
'statement)',
'internal': None,
'transparency_level': 'Low (no '
'details on '
'number of '
'victims or '
'public '
'disclosure)'},
'containment_measures': ['Secured IT systems',
'Revoked unauthorized access'],
'incident_response_plan_activated': 'Yes (systems secured '
'post-breach)',
'law_enforcement_notified': 'Implied (followed advice not to pay '
'ransom)'},
'stakeholder_advisories': 'None (no public statements)',
'threat_actor': {'known_aliases': ['UNC6040'],
'motivation': ['Financial Gain (Ransom Demand)',
'Data Theft for Resale'],
'name': 'Shiny Hunters (aka UNC6040)',
'type': 'Individual/Cybercriminal Group'},
'title': 'Kering Data Breach by Shiny Hunters',
'type': ['Data Breach', 'Unauthorized Access'],
'vulnerability_exploited': 'Human error (tricked employees into handing over '
'login credentials for internal Salesforce '
'software)'}