Luxury Briefing: Chanel data breach signals rising luxury cyber risks

In a letter sent to clients, Chanel said that on July 25 it had “become aware of a security incident involving a Chanel Inc. database in the U.S. hosted by a third-party service provider, where an unauthorized external party accessed and obtained some of the client data we hold.”

A spokeswoman for Chanel confirmed the details to WWD, adding that “the investigation indicates that there was unauthorized access to this database. There was no malware deployed to our systems, and our operations remain unaffected.” Chanel stressed that its response protocols were immediately activated and “leading cybersecurity experts” were engaged to manage the incident. The brand did not respond to repeated requests for comment. 

The affected database held details for individuals who had contacted Chanel’s U.S. client care center, including names, email addresses, mailing addresses and phone numbers. “No other information was contained in the database. The clients affected have been informed,” the company said.

Customers were advised to be vigilant for suspicious emails or calls and reminded that “Chanel will never reach out to you for your password or sensitive information, or send you links to identify yourself, through unsolicited emails, messages or phone calls.” Chanel apologized directly, stating, “Chanel sincerely apologized for this incident and would like to assure you that Chanel takes the protection of our client data extremely seriously. Data security and the privacy of our clients are of the utmost importance for Chanel, and we have dedicated significant resources to responding to the situation.”

The incident is among many recent phishing and social engineering attacks, often targeting customer care databases hosted on third-party platforms. Salesforce, the U.S.-based software company whose platform hosted the compromised database, provided Glossy with the following statement: “Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform. While Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their data safe, especially amid a rise in sophisticated phishing and social engineering attacks.”

One hacking group believed to be exploiting these vectors is Scattered Spider, notorious for tricking employees into handing over access credentials by posing as IT staff or trusted colleagues. However, the group has not claimed responsibility for the attacks on luxury maisons. The group became known after its attacks on MGM Resorts and Caesars Entertainment in September 2023.

Other luxury brands have also been impacted. Swiss jewelry brand Cartier confirmed earlier this year that “an unauthorized party gained temporary access to our system,” exposing limited client data, although no financial or password information was compromised. And U.S. lingerie retailer Victoria’s Secret temporarily took its e-commerce site offline in May following a cybersecurity incident, which it disclosed on its earnings call.

LVMH’s stock fell 3.2% following the disclosure of Dior’s January 2023 data breach, which exposed customer contact and purchase details and was only disclosed in May 2025, violating South Korea’s data protection rules and triggering a potential ₩30 million ($21,859) fine and regulatory investigation. Tiffany & Co.’s April 2025 breach, reported 39 days after discovery, and Louis Vuitton Korea’s June 2025 breach, reported 24 days later, also drew scrutiny from the Personal Information Protection Commission (PIPC).

Even unrelated outages have shown how vulnerable fashion systems can be. In July last year, cybersecurity company CrowdStrike experienced a software update failure that caused global disruption. Canadian footwear brand Aldo had to manually intervene to keep stores and e-commerce running. “The first place to start is the mindset,” Aldo CIO Matthieu Houle told Glossy. “You need awareness and training, as it only takes one person to make a mistake or be hacked.”

The reason why the luxury brands are being targeted is multifaceted. “Cybercriminals follow the money, targeting high-value companies with valuable data and large revenue streams because they’re more likely to pay ransoms,” said Dr. Darren Williams, founder and CEO of cybersecurity firm BlackFog, Inc. According to BlackFog data, over 95% of attacks now involve data theft, and with AI making victim research easier than ever, extortion is rising sharply.

The rising threat is reflected in new data. According to the IBM Cost of a Data Breach Report 2025, the average cost of a U.S. data breach is now $10.22 million, with the global average at $4.44 million. Breaches involving unmonitored “shadow AI” tools, which have grown in number, cost an additional $670,000, on average. Shadow AI is the use of unapproved AI tools inside a company, creating hidden security risks.

In fashion, VF Corp, the U.S.-based owner of Vans and The North Face, suffered a ransomware attack in December 2023 that impacted 35.5 million customers’ personal information. In 2023, now-bankrupt fast fashion retailer Forever 21 disclosed a breach affecting more than 500,000 individuals.

Many of these breaches involve credential stuffing. Luxury houses, however, often maintain redundant systems — backup networks and mirrored servers — allowing them to isolate compromised environments and keep operations running. Chanel emphasized that “there was no malware deployed to our systems, and our operations remain unaffected,” highlighting the value of this kind of system.

For luxury houses built on exclusivity and personalized service, cybersecurity is now a brand-defining imperative, especially as AI bots are being used to enable more hacks. As Chanel’s spokeswoman noted, “Data security and the privacy of our clients are of the utmost importance for Chanel, and we have dedicated significant resources to responding to the situation.” Swiss jewelry brand Cartier, which experienced its own breach earlier this year, echoed that commitment, noting in a press statement that it had strengthened its defenses and engaged top-tier experts.

And the importance of cyber threats and preventing data leaks is growing. According to conversations with analysts, cybersecurity spending and cyber insurance costs are now factored into luxury investment outlooks, with IT resilience and digital risk management considered as important as merchandising or geographic expansion in investor evaluations.

According to Philippe Gijsels, chief strategy officer at the bank BNP Paribas, “With AI and quantum computing driving a digital arms race, both attackers and defenders must invest heavily in computing power. Security will be a key building block of the future, making it an attractive investment opportunity.”

Earnings

• Hugo Boss’s second quarter 2025 results, reported on August 5, showed U.S. sales returning to growth after a weak start to the year, driven by improved conversion rates despite subdued store traffic. Group revenue rose 1% year-over-year to $1.16 billion, with EBIT up 15% to $93.5 million. CFO Yves Müller said, “We are very happy that we are back to growth in the U.S. and whole in North America, including Canada. Q1 was pretty soft after the inauguration of Mr. Trump, and store traffic, especially, has been very low. It seems that there is a kind of gradual improvement also in retail.” He noted that the company has not seen shopping being pulled forward ahead of price changes.

News to know

• Wednesday marks the opening of the House of Dior New York, a four-story flagship designed by Peter Marino. It features the first U.S. Dior Spa, exclusive collections, immersive art installations and a garden-inspired interior celebrating Dior’s heritage and modern reinvention. It’s located on the corner of NYC’s 57th Street and Madison Avenue, near the site of Christian Dior’s original U.S. store, opened in 1948.
• On August 4, EssilorLuxottica acquired Belgium-based Automation & Robotics to boost its lens manufacturing technology and support emerging wearable categories, according to a statement from chairman and CEO Francesco Milleri.
• On Thursday, Swiss tariffs are set to increase to 39%, which is set to impact the Swiss watch industry. The U.S. Swiss watch market was worth $5.4 billion in 2024. This could push prices of models like the Rolex Submariner in the U.S. from $10,000 to nearly $14,000. The already-struggling Swatch company has been flagged as especially vulnerable, and high‑end brands like Rolex, Patek Philippe and Audemars Piguet are expected to pass costs to consumers.
• For many luxury brands, the Japan bubble has popped. In their latest earnings reports, LVMH and Richemont reported double-digit sales declines in the country as tourist-driven demand fades. However, there are exceptions. Hermès posted 16% growth in the region. CEO Axel Dumas attributed that growth to “a very long-standing story” and “a very special relationship with that very strong customer base in Japan,” built on decades of local investment and an “impeccable” retail network.

Listen in

On the latest Glossy Podcast, editor-in-chief Jill Manoff joined international fashion reporter Zofia Zwieglinska to break down three big stories: American Eagle Outfitters’s “Sydney Sweeney Has Great Jeans” campaign, which drew criticism for its wordplay on “genes;” Vogue’s debut of an entirely AI‑generated Guess ad; and DTC brand Quince’s $200 million fundraise. Plus, Manoff speaks to senior reporter Sara Spruch-Feiner about Ty Haney’s surprise return to Outdoor Voices, the DTC athleisure label Haney launched in 2013. Listen here.

Read on Glossy
Maeve is now an Anthropologie sub-brand. Beauty founders weigh in on the new tariff changes. Why new beauty brands are launching products with a blank grid.