Select Language:
The Cyberspace Administration of China has issued an administrative penalty against the Shanghai branch of a high-end fashion brand owned by a major corporation, due to the unauthorized transfer of customer personal data to its headquarters in Europe and inadequate security measures.
Following a data breach in May, Chinese regulators investigated the Shanghai location and identified three violations. Firstly, the company transferred personal customer data to its Paris office without conducting a security review, formalizing a data export agreement, or obtaining certification for personal information protection.
Secondly, the company failed to notify customers about how their data would be used by the recipient and did not secure their separate consent. Thirdly, it did not put adequate security safeguards in place, such as encrypting data or removing personally identifiable information.
Details about the specific penalties have not yet been released.
The breach was first detected on May 7, when an unauthorized third party accessed and retrieved customer details, including names, gender, contact information, email, mailing addresses, purchase history, and preferences. Several customers in China received warning messages on May 12, alerting them to potential data compromise.
This incident is part of a pattern, as other luxury brands have also faced data breaches this year. In June, some customers received emails indicating their Cartier account information had been leaked. In July, Louis Vuitton disclosed a breach affecting nearly 420,000 customers in Hong Kong.
Industry experts note that many luxury brands are still shifting to digital operations but often maintain lax data management practices. Customer data is frequently stored across multiple locations, poorly categorized, and without clear jurisdictional boundaries. This fragmentation hampers efforts to enforce comprehensive security and dynamic risk management systems.
Add us on ChatGPT
Add us on Perplexity
