Spanish fashion retail group Tendam suffered a severe cyber attack in September 2024, where cybercriminals gained unauthorized access to over 720 GB of sensitive data, potentially including compromised customer information. The attackers demanded an €800,000 ransom to prevent the leaked data from being published. The breach not only risked exposing personal and transactional details of customers but also posed significant financial and reputational threats to the company. While the exact scope of the stolen data (e.g., payment details, identities) was not fully disclosed, the sheer volume (720 GB) suggests a large-scale compromise of customer records, aligning with patterns where ransomware groups exfiltrate data before encryption to maximize leverage. The attack disrupted operations, eroded trust, and forced Tendam into a high-stakes negotiation with cybercriminals, reflecting the escalating sophistication of threats targeting retail sectors with rich consumer databases.
TPRM report: https://www.rankiteo.com/company/tendam
"id": "ten2532925091725",
"linkid": "tendam",
"type": "Ransomware",
"date": "9/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Fashion',
'location': 'Spain',
'name': 'Tendam',
'type': 'Fashion Retail Group'},
{'industry': 'Fashion',
'location': 'UK',
'name': 'Marks & Spencer',
'type': 'Retailer'},
{'customers_affected': '6.5 million members',
'industry': 'Fashion/General',
'location': 'UK',
'name': 'Co-op Group',
'type': 'Retailer'},
{'industry': 'Luxury',
'location': 'UK',
'name': 'Harrods',
'type': 'Luxury Department Store'},
{'industry': 'Fashion',
'location': 'USA',
'name': 'Victoria’s Secret',
'type': 'Lingerie Retailer'},
{'industry': 'Sports',
'location': 'Germany',
'name': 'Adidas',
'type': 'Sportswear'},
{'industry': 'Sports',
'location': 'USA',
'name': 'The North Face',
'type': 'Outdoor Apparel'},
{'customers_affected': 'Employees (emails only)',
'industry': 'Sports',
'location': 'France',
'name': 'Decathlon',
'type': 'Sporting Goods'},
{'industry': 'Luxury',
'location': 'France/China',
'name': 'Dior (LVMH)',
'type': 'Luxury Fashion'},
{'customers_affected': '419,000 (Asian market)',
'industry': 'Luxury',
'location': 'France',
'name': 'LVMH',
'type': 'Luxury Conglomerate'},
{'industry': 'Luxury',
'location': 'France',
'name': 'Cartier',
'type': 'Luxury Jewelry'},
{'industry': 'Luxury',
'location': 'Denmark',
'name': 'Pandora',
'type': 'Jewelry'},
{'industry': 'Luxury',
'location': 'France/USA',
'name': 'Chanel',
'type': 'Luxury Fashion'},
{'industry': 'Luxury',
'location': 'France',
'name': 'Kering (Gucci, Balenciaga, Alexander McQueen)',
'type': 'Luxury Conglomerate'},
{'customers_affected': '600,000+ (USA, France, Canada)',
'industry': 'Luxury Cosmetics',
'location': 'France',
'name': 'Clarins',
'type': 'Cosmetics'},
{'customers_affected': '230,000+ (2021 incident)',
'industry': 'Luxury',
'location': 'Italy',
'name': 'Moncler Group',
'type': 'Luxury Apparel'}],
'attack_vector': ['Phishing',
'Credential Theft',
'Third-Party Vulnerabilities',
'AI-Optimized Attacks'],
'customer_advisories': ['Data breach notifications',
'Password reset recommendations',
'Fraud monitoring offers'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': [{'company': 'Co-op Group',
'records': '6.5 million'},
{'company': 'LVMH',
'records': '419,000'},
{'company': 'Clarins',
'records': '600,000+'},
{'company': 'Moncler',
'records': '230,000+ (2021)'},
{'company': 'Tendam',
'records': '720 GB of data '
'(potential '
'customer data)'}],
'personally_identifiable_information': True,
'sensitivity_of_data': ['Low (emails)',
'Medium (PII)',
'High (financial data in Moncler '
'case)'],
'type_of_data_compromised': ['Names',
'Addresses',
'Email Addresses',
'Phone Numbers',
'Passport Details (LVMH)',
'Purchase History (LVMH)',
'Product Preferences (LVMH)',
'Card Numbers (Moncler, 2021)']},
'date_publicly_disclosed': '2024-01-01',
'description': 'A wave of cyber attacks targeted major companies in the '
'fashion, luxury, and cosmetics sectors in 2024, resulting in '
'data breaches, operational disruptions, and financial losses. '
'Attacks included ransomware, data exfiltration, and website '
'outages, with some incidents linked to organized '
'cybercriminal groups. High-profile victims included Tendam, '
'Marks & Spencer, Co-op Group, Victoria’s Secret, LVMH (Dior, '
'Louis Vuitton), Kering (Gucci, Balenciaga), Cartier, Chanel, '
'Pandora, Clarins, Adidas, The North Face, and Decathlon. '
'Regulatory fines and legal actions followed in some cases, '
'particularly in Asia.',
'impact': {'brand_reputation_impact': ['Stock Drops (e.g., Victoria’s Secret '
'-8%)',
'Loss of Customer Trust'],
'customer_complaints': True,
'data_compromised': True,
'downtime': [{'company': 'Marks & Spencer', 'duration': 'weeks'},
{'company': 'Victoria’s Secret', 'duration': '4 days'},
{'company': 'Harrods',
'duration': 'brief restriction'}],
'financial_loss': [{'amount': '$404 million',
'company': 'Marks & Spencer'},
{'amount': '8% stock drop',
'company': 'Victoria’s Secret'},
{'general': '$5 million average per incident '
'(138% increase from 2023)'},
{'global_estimate': '$10.5 trillion by 2025'}],
'identity_theft_risk': True,
'legal_liabilities': [{'action': 'Chinese administrative sanction '
'for illegal data transfer',
'company': 'Dior (LVMH)'},
{'company': 'Moncler Group',
'fine': '88 million won ($63,200) by South '
'Korea’s PIP Commission'}],
'operational_impact': ['Website Crashes',
'Order Pauses',
'Supply Chain Disruptions'],
'payment_information_risk': [{'company': 'Moncler Group',
'details': 'Card numbers exposed'},
{'company': 'General',
'details': 'Most companies claimed '
'financial data was '
'safe'}],
'revenue_loss': [{'amount': '$404 million',
'company': 'Marks & Spencer'},
{'general': 'Estimated $200 billion spent on '
'cybersecurity in 2024'}],
'systems_affected': ['E-commerce Platforms',
'Customer Databases',
'Third-Party Service Providers']},
'initial_access_broker': {'data_sold_on_dark_web': [{'company': 'Tendam',
'status': 'Threatened '
'(720 GB)'},
{'company': 'Clarins',
'status': 'Published by '
'Everest '
'group'}],
'entry_point': ['Phishing',
'Third-Party Vendors',
'Credential Theft'],
'high_value_targets': ['Customer Databases',
'E-commerce Platforms']},
'investigation_status': [{'company': 'Tendam',
'status': 'Ongoing (ransomware)'},
{'company': 'Co-op Group',
'status': 'Completed (2024)'},
{'company': 'Dior (LVMH)',
'status': 'Ongoing (Chinese investigation)'},
{'company': 'Kering',
'status': 'Attributed to Shiny Huntes (2024)'}],
'lessons_learned': ['Third-party vendor risks are a major attack vector.',
'AI-optimized attacks are increasing in sophistication.',
'Average containment time remains high (73 days).',
'Luxury and fashion sectors are prime targets due to '
'high-value customer data.',
'Regulatory scrutiny is intensifying, especially in '
'Asia.'],
'motivation': ['Financial Gain', 'Data Theft', 'Disruption'],
'post_incident_analysis': {'corrective_actions': ['Mandatory third-party '
'audits',
'Accelerated incident '
'response playbooks',
'Enhanced employee training '
'on phishing',
'Cross-border data transfer '
'reviews'],
'root_causes': ['Inadequate third-party security '
'controls',
'Delayed patching of known '
'vulnerabilities',
'Lack of network segmentation',
'Over-reliance on legacy systems']},
'ransomware': {'data_exfiltration': True,
'ransom_demanded': [{'amount': '€800,000',
'company': 'Tendam'}]},
'recommendations': ['Enhance third-party vendor cybersecurity assessments.',
'Invest in AI-driven threat detection and response.',
'Implement stricter data transfer compliance measures '
'(e.g., cross-border).',
'Improve incident response times with automated tools.',
'Conduct regular red-team exercises to test defenses.'],
'references': [{'source': 'McKinsey'},
{'date_accessed': '2024-07',
'source': 'UK National Crime Agency'},
{'source': 'South Korea’s Personal Information Protection '
'Commission'}],
'regulatory_compliance': {'fines_imposed': [{'amount': '88 million won '
'($63,200)',
'company': 'Moncler Group'},
{'amount': 'Administrative '
'sanction '
'(unspecified)',
'company': 'Dior (LVMH)'}],
'legal_actions': [{'action': 'Investigation into '
'Dior’s data transfer',
'country': 'China'},
{'action': 'Fine for Moncler’s '
'2021 breach',
'country': 'South Korea'}],
'regulations_violated': ['China’s Data Transfer '
'Laws (Dior/LVMH)',
'South Korea’s Personal '
'Information Protection '
'Act (Moncler)'],
'regulatory_notifications': True},
'response': {'communication_strategy': ['Public Disclosures',
'Customer Advisories'],
'containment_measures': ['Website Shutdowns',
'Order Pauses',
'Data Isolation'],
'incident_response_plan_activated': True,
'law_enforcement_notified': [{'action': 'National Crime Agency '
'arrested 4 suspects '
'(July 2024)',
'country': 'UK'},
{'action': 'Administrative sanction '
'against Dior (LVMH)',
'country': 'China'},
{'action': 'PIP Commission fined '
'Moncler Group',
'country': 'South Korea'}],
'recovery_measures': ['System Restores',
'Customer Notifications'],
'third_party_assistance': True},
'stakeholder_advisories': ['Customer notifications',
'Regulatory filings',
'Investor disclosures (e.g., Victoria’s Secret '
'stock drop)'],
'threat_actor': ['Shiny Huntes',
'Everest',
'Unidentified Cybercriminal Groups'],
'title': 'Series of Cyber Attacks on Fashion, Luxury, and Cosmetics Companies '
'(2024)',
'type': ['Data Breach', 'Ransomware', 'DDoS', 'Unauthorized Access']}