Kering Confirms Data Breach After Hackers Claim Millions of Customer Records Stolen
ShinyHunters says 7.4 million email addresses were taken from Gucci, Balenciaga and Alexander McQueen customer records; Kering says no financial information was accessed
Kering, the owner of Gucci, Balenciaga and Alexander McQueen, confirmed on Monday that it had been targeted in a cyberattack after a hacking group claimed to have stolen the personal data of millions of customers.
The hacking collective ShinyHunters said it had retrieved 7.4 million email addresses and other customer details. Media reports, citing the BBC, said the stolen information included names, email addresses, phone numbers, postal addresses and the total amounts spent at the brands' stores worldwide. Kering said no financial information was taken.
Kering confirmed the breach in a brief statement but did not immediately disclose the number of customers affected or the full scope of the data exposed. The company said investigations were under way; it did not provide a timetable for notifying potentially affected customers or regulatory authorities.
The claim from ShinyHunters follows a string of cyber incidents that have affected major brands in recent months. Separately, the hacking group known as Scattered Spider was reported to have attacked Jaguar Land Rover weeks earlier and has claimed responsibility for prior intrusions at Marks & Spencer, the Co-op and Harrods in April and May.
Industry analysts say attacks on retailers and luxury brands have become more frequent as cybercriminal groups seek large volumes of personally identifiable information that can be sold on underground markets or used for targeted fraud. The data reportedly taken in the Kering incident — including contact details and purchase histories — can increase the risk of phishing, impersonation and other forms of fraud if it is made public or traded.
Kering's portfolio spans multiple global luxury houses and e-commerce platforms, increasing the complexity of any investigation and potential customer outreach. The company has not released a full timeline of when the breach began or when it was discovered.
Authorities and some affected companies typically notify customers and regulators when breaches involve personal data, depending on jurisdictional requirements. It was not immediately clear which data-protection regulators, if any, had been informed in the Kering case.
ShinyHunters is a group that has previously claimed responsibility for mass data thefts; independent verification of its latest claim and the exact contents of any stolen data were not available at the time of publication. Kering's confirmation that no financial information was stolen, if accurate, would reduce the immediate risk of direct card fraud, though experts caution that 전화 numbers, email addresses and addresses can still be abused in other types of scams.
Kering did not respond to a request for further comment. Media outlets covering the incident cited both the company's acknowledgment and the hacking group's public claims as the basis for initial reporting. The investigation and any follow-up disclosures by Kering and relevant authorities are likely to determine the full scale and impact of the breach.