Luxury brands, the position of domestic customer data management manager vacant… 'Fixing the barn after losing a cow' response expected

Global luxury brands Dior, Cartier, Tiffany, and Louis Vuitton have consecutively experienced incidents of personal data breaches.

Among these, the absence of designated personal data protection officers for these brands in South Korea is expected to be identified as the cause of the incidents, leading to controversy.

According to a report by Dong-A Ilbo on the 9th, an investigation into the personal data protection policies of the four luxury companies embroiled in the data breach controversy revealed that none of them have designated a local representative in South Korea.

Under current personal information protection laws, foreign companies with more than 1 trillion won in the previous year's headquarters revenues or an average of over 1 million daily users must designate a local representative and publicly disclose it. A violation of this could result in fines of 50 million won or less, effective from October.

According to the Financial Supervisory Service's electronic disclosure system, last year, Louis Vuitton Korea's revenue was 1.7484 trillion won, and the domestic revenue of Richmond, which owns Cartier, was 1.7952 trillion won (from April 2024 to March 2025), both far exceeding the revenue threshold for requiring the designation of a personal data protection officer.

Even in the case of Dior, although its revenue slightly decreased to 945.3 billion won last year, it surpassed 1 trillion won with sales of 1.0456 trillion won in 2023.

Additionally, these brands have shown a passive attitude toward designating personal data protection officers. The Personal Information Protection Commission stipulates that it must designate a specific 'employee' rather than a 'department.'

However, Tiffany only designated the responsible department, and Louis Vuitton only amended its personal data protection policy on the 10th of last month, after a data breach incident, to belatedly name a responsible officer.

According to those in the security industry, the luxury brands involved in the breach incidents are known to have used a single cloud-based global CRM (customer relationship management) service provider.

A representative from the Personal Information Protection Commission explained to Dong-A Ilbo, "We are looking into whether this data breach is an issue with the service provider or a problem of negligence in management by the luxury brands."

Meanwhile, major domestic fashion companies are clearly disclosing their personal data protection officers, unlike foreign luxury brands. LF has defined its information protection head as the person responsible and established its own system to manage customer personal information.

In this regard, there are calls for luxury brands to strengthen their personal data protection oversight functions to prepare for hacker attacks targeting customer information.

Image sources: reference images to aid understanding of the article / News1, reference images to aid understanding of the article / gettyimagesbank, reference images to aid understanding of the article / Insight