Kering Confirms Data Breach Affecting Gucci, Balenciaga and Other Luxury Brands
Hackers claim millions of customer records were taken, including names, contact details and purchase totals; the company says no financial information was stolen
Kering, the French luxury goods group that owns Gucci, Balenciaga and Alexander McQueen, confirmed in mid-September 2025 that it had suffered a cyberattack that may have exposed customer data for the brands.
The company acknowledged a breach after a hacking group known as ShinyHunters claimed to have obtained customer information, including names, email addresses, phone numbers, physical addresses and the total amount spent at the retailers. The group said it had retrieved 7.4 million email addresses, a figure that was reported by the BBC. Kering said no financial information — such as payment card data — was stolen.
Kering did not immediately disclose how many customer records were compromised beyond what the hacking group has claimed. The company said it had launched an investigation and notified relevant authorities, and that it was taking steps to reinforce its security measures. The group did not provide a detailed timeline for when the intrusion occurred or how the attackers gained access.
The incident adds to a string of high-profile corporate breaches in recent months. Separate attacks have been publicly linked to other criminal groups: Scattered Spider, for example, has been tied to recent intrusions affecting automaker Jaguar Land Rover and has been accused of earlier strikes on retailers including Marks & Spencer, the Co-op and Harrods in April and May.
ShinyHunters is a hacking collective that has been associated in past incidents with the theft and publication of large datasets. When exposed in public, customer contact information, purchase histories and other personal details can increase the risk of phishing, account takeover and social engineering attacks, security specialists say. Kering and its brands face the immediate task of determining the scope of the leak and informing affected customers and regulators as required by data-protection laws in jurisdictions where they operate.
Kering is one of the world’s largest luxury-goods companies and operates a portfolio of high-end fashion and accessory brands. Any breach of customer information poses potential legal, regulatory and reputational consequences, particularly under stringent European privacy rules. The company’s confirmation that no financial information was taken could limit the exposure to direct payment fraud, but the loss of personal contact and purchase data may nonetheless be used by criminals to craft targeted scams or to attempt account access on related services.
The firm did not provide immediate advice to customers on steps to take following the announcement. Consumers who receive unsolicited emails or messages purporting to be from Kering brands should exercise caution and verify communications through official company channels before clicking links or providing additional information.
Authorities and cybersecurity professionals will continue to monitor the investigation and any subsequent disclosures from Kering. The company said it would provide further information as its review progresses.