Republic of Korea: Personal Information Protection Commission imposed administrative fines against Louis Vuitton, Christian Dior Couture, and Tiffany over Personal Information Protection Act violations

On 11 February 2026, the Personal Information Protection Commission imposed administrative fines totalling KRW 36'033'000'000 and administrative fines of KRW 10'800'000 on Louis Vuitton Korea, Christian Dior Couture Korea and Tiffany Korea for violations of the Personal Information Protection Act. The Commission found that the companies failed to implement required security measures under Article 29 in their use of Software as a Service (SaaS)-based customer management systems, resulting in personal data breaches affecting approximately 3.6 million Louis Vuitton customers, 1.95 million Dior customers and about 4'600 Tiffany customers. Louis Vuitton Korea was ordered to pay KRW 21'385'000'000 after malware on an employee device enabled hackers to obtain SaaS account credentials. Dior was fined KRW 12'236'000'000 in surcharges and KRW 3'600'000 in administrative fines after a voice phishing incident allowed unauthorised access and the company failed to properly monitor access logs or detect the breach for over three months. Tiffany was ordered to pay KRW 2'412'000'000 in surcharges and KRW 7'200'000 in fines for similar security deficiencies and for failing to notify affected individuals within the 72-hour statutory period under Article 34. In each case, the Commission identified failures to restrict system access by Internet Protocol address, apply secure authentication methods for remote access and adequately inspect access records, and it ordered the companies to publish notice of the administrative sanctions on their official websites.