LVMH reveals consumer data breach on Tag Heuer in a delayed disclosure

(Source: Korea Bizwire)

In a delayed disclosure, the French luxury conglomerate LVMH revealed that nearly 2,900 South Korean customers’ personal data was compromised in a cyberattack on its high-end watch brand Tag Heuer in late 2019 and 2020.

The breach, which also affected customers globally, has reignited concerns over the protection of personal information held by overseas companies.

The belated notification from Tag Heuer, occurring only in May 2023, underscores the challenges consumers face in safeguarding their data when dealing with foreign entities without a domestic presence.

As more South Korean users share information with international online retailers like AliExpress and Temu, apprehensions surrounding data privacy are growing.

“It’s true that when you directly open a member account with an overseas company, it becomes difficult to be protected,” said Youm Heung Youl, a professor of information security at Soonchunhyang University.

“If there’s no domestic corporation and the headquarters is abroad, it’s challenging to inquire, and often, breaches are only noticed after the information has already been leaked.”

Online communities and social media platforms have voiced worries that individuals’ privacy rights could deteriorate as more personal data is stored overseas.

Verifying compliance with security standards becomes arduous, and the likelihood of violating domestic laws increases.

During last year’s national audit of the Personal Information Protection Commission, concerns were raised about the potential for South Korean users’ personal information to be transferred abroad when accessing major Chinese shopping sites.

In fact, Temu’s application discloses that users’ personal information may be transferred to the United States, Singapore, Japan, the Netherlands, and South Korea, as stipulated in its “Personal Information Processing Entrustment” clause.

Previously, the Consumers Union of Korea criticized Alibaba for sharing user data with over 180,000 Chinese vendors while only disclosing basic details like their business names and email addresses.

These incidents have reinforced calls for stronger protections for personal data held by foreign entities. While the Personal Information Protection Commission introduced an “Overseas Transfer Suspension Order” last year, allowing it to halt data transfers that harm individuals, the measure has yet to be invoked.

The commission’s newly formed “Overseas Transfer Expert Committee,” established earlier this year, has also shown minimal activity thus far.

One committee member commented, “After its establishment, there hasn’t been any notable activity or separate communication from the commission. It seems to be taking quite some time to organize matters.”

Lim Jong In, a professor at Korea University’s Graduate School of Information Security, advised, “In the case of the European Union, strict standards are set and permits are required when citizens’ information is stored externally. South Korea should also take administrative measures, such as guidance, when companies from countries with lower data protection standards than our own operate domestically. They should be obligated to store at least a portion of the data on Korean servers.”

This story was originally published by Ashley Song, via Korea Bizwire.

You have 7 articles remaining. Unlock 15 free articles a month, it’s free.