Kering confirms customer data stolen from Gucci, Balenciaga and Alexander McQueen; hacker claims millions of records

Kering, the French luxury goods group that owns Gucci, Balenciaga and Alexander McQueen, said an unauthorized third party gained temporary access to some customer data after a breach first carried out in April and identified in June.

The company confirmed that accessed information included customer names, email addresses, phone numbers, postal addresses and "Total Sales" figures showing how much individuals have spent at its houses. Kering said no financial information such as bank account numbers, credit card details or government-issued identification numbers were involved in the incident, and that it has secured its IT systems and notified relevant data protection authorities. The firm said it has emailed affected customers but has not disclosed how many people were impacted.

A hacker who identifies themselves as "Shiny Hunters" told the BBC over Telegram that they had data linked to 7.4 million unique email addresses, a figure that could indicate a similar number of individual victims. The BBC was shown a small sample of stolen data described as containing thousands of customer details that appeared genuine; the outlet said the files were deleted after analysis. Some records in the sample included customers whose "Total Sales" with the brands exceeded $10,000, with a few shown to have spent between $30,000 and $86,000.

Shiny Hunters said they breached the systems in April and contacted Kering in early June to discuss a ransom to be paid in Bitcoin. Kering denied engaging in any such negotiations and said it has refused to pay a ransom in line with long-standing law enforcement advice.

Cyber-security observers have linked the Shiny Hunters name to a wider pattern of attacks on luxury brands. Google warned in June about a trend of intrusions tied to a cluster it calls UNC6040; Google said attackers in that group have obtained data by tricking employees into handing over login credentials for internal systems such as Salesforce. Google has said it was among the organisations affected. It is not known whether the attacks disclosed by other luxury houses, including publicised incidents at Cartier and Louis Vuitton in the same period, are related to the Shiny Hunters activity.

The presence of purchase totals in the stolen records is a particular concern for victims, security experts said, because publicly available evidence that an individual is a high-value customer can increase the likelihood of being targeted in follow-on scams or social-engineering attacks. Stolen personal details such as names, addresses, dates of birth and order histories can be used to impersonate a trusted organisation when contacting victims by email, text or phone.

Authorities and cyber-security bodies recommend that people affected by data breaches remain vigilant. The National Cyber Security Agency advised changing passwords, enabling two-factor authentication where possible, avoiding password reuse across accounts and using longer passphrases — for example, three random words — to make credentials harder to crack. It also recommended that anyone who receives a suspicious call claiming to be from a bank should hang up and call the number printed on their card or listed on the bank’s official website.

Kering said it has notified the relevant data protection authorities and contacted affected customers by email. Under applicable rules, a company that has individually informed those affected is not necessarily required to make a broader public statement. The firm has not disclosed the total number of customers impacted or whether it has identified how the attackers initially gained access to its systems. Investigations by Kering and the authorities are ongoing.