Recently, French luxury brand Louis Vuitton (LV) was once again caught in a data leak storm, affecting nearly 420,000 Hong Kong customers.

The Office of the Privacy Commissioner for Personal Data of Hong Kong (hereinafter referred to as the "Privacy Commissioner's Office") responded to the Louis Vuitton (LV) Hong Kong data leak incident on July 19.

The Privacy Commissioner's Office received a data leak incident notification submitted by Louis Vuitton Hong Kong Limited (LVHK) on July 17. According to LVHK, its French head office discovered suspicious activities in its computer system on June 13, 2025, and then discovered that the incident affected Hong Kong customers on July 2. LVHK was aware of the incident on the same day.

Preliminary information shows that the incident has affected the personal data of approximately 419,000 Hong Kong customers. The personal data involved includes name, passport number, date of birth, address, email address, telephone number, shopping history and product preference information.

The Privacy Commissioner's Office has launched an investigation into LVHK in accordance with established procedures, including whether the incident involved delayed notification. No relevant complaints or inquiries have been received so far.

Although the incident did not involve payment information leakage, once massive personal identity data is abused, it may lead to more targeted fraud risks.

This is not the first time that LV has had a similar incident. According to technology media BleepingComputer, in addition to Hong Kong, customer data in South Korea, Turkey, the United Kingdom and other places were also stolen, and the leaked content mainly included names, contact information and purchase records.

Louis Vuitton confirmed that the leakage of customer information in the United Kingdom, South Korea and Turkey all originated from the same security incident, which is suspected to be related to the hacker group ShinyHunters.

"Despite all security measures in place, on July 2, 2025, we became aware of a personal data breach resulting from the exfiltration of certain personal data of some of our clients following an unauthorized access to our system," reads Louis Vuitton's data breach notifications sent to customers.

"We would like to assure you that our cybersecurity teams have taken care of the incident with the utmost diligence and attention. Technical measures were immediately taken to contain the incident after its occurence, notably by blocking the unauthorized access.

"Louis Vuitton teams are mobilized to cooperate with the competent authorities which have been notified, including the Information Commissioner's Office (the ICO)."

In a statement to BleepingComputer, Louis Vuitton confirmed that no payment information was compromised from the database accessed during the incident.

The company further stated that it is working with cybersecurity experts to investigate the incident and has begun notifying relevant regulators.

The Louis Vuitton data leak incident involved 419,000 customers in Hong Kong and multiple overseas markets, sounding the alarm for data security in the luxury industry. Although no financial information has been leaked, the large amount of personal identification information leaked is enough to cause fraud risks and a crisis of trust. Regulatory investigations are still ongoing, and brands urgently need to strengthen their network and supply chain security protection systems. Consumers should also be vigilant and jointly build a strong data security defense line.

Author：Qinger