Cyber criminals have stolen the private details of potentially millions of Balenciaga, Gucci and Alexander McQueen customers in an attack.
The stolen data includes names, email addresses, phone numbers, addresses and the total amount spent in the luxury stores around the world.
Kering, the parent company of the luxury brands, has confirmed the breach and says it disclosed the incident to the relevant data protection authorities.
It said no financial information, such as card details, were stolen.
The firm also says it has emailed customers affected but has not said how many, or made any public statements about the hack.
Legally, the company is not obligated to make any public statements about the breach as long as it has notified all individuals affected through other means.
The cyber criminal behind the attack calls themselves Shiny Hunters.
They claim to have data linked to 7.4m unique email addresses which suggests the total number of individual victims could be similar.
A small sample shared with the BBC as proof contained thousands of customer details which appear to be genuine. Once analysed the files were deleted.
One of the details in the stolen data is “Total Sales” which shows how much money a person has spent with each brand.
Some customers are shown to have spent more than $10,000 with a handful spending $30,000-$86,000 in stores in the small sample analysed by the BBC.
This information is particularly concerning for victims as it could lead to high spenders being targeted by secondary hacks and scams if the hacker decides to leak the information to other criminals.
Shiny Hunters appears to be acting alone and told the BBC over Telegram chat that they breached the luxury brands in April through Kering.
The hacker contacted the French company in early June and claims to have been in on-off negotiations with them over a ransom to be paid in Bitcoin. This is denied by the company which says it has not engaged in any conversations with the criminal.
The company says it has refused to pay the hacker in accordance with long-standing law enforcement advice.
“In June, we identified that an unauthorized third party gained temporary access to our systems and accessed limited customer data from some of our Houses. No financial information – such as bank account numbers, credit card information, or government-issued identification numbers – was involved in the incident,” a Kering spokesperson said adding it has since secured its IT systems.
The data breach which happened in April came at the time of a wave of attacks on luxury brands including Cartier and Louis Vuitton also disclosed breaches to customers and the public.
It’s not known if those attacks are linked to Shiny Hunters.
In June, cyber security experts at Google issued a warning about a trend of attacks linked to Shiny Hunters that the tech giant also subsequently fell victim to.
The hacker or hackers are known by Google as UNC6040 which have been stealing data through tricking employees into handing over their log in details for internal company Salesforce software.
Stolen information in cyber-attacks may include your name, address, date of birth and online order history.
Scammers may use these to try and look genuine and contact you pretending to be another organisation, including a bank or government.
So it’s important to stay vigilant if you receive suspicious emails, messages or phone calls.
Be aware that scammers often try and press you to do something urgently.
If you do get a call from your bank and are unsure if it’s genuine, hang up and call the number on your card or the bank’s website.
The National Cyber Security Centre says you should change your password, and use two-factor authentication if possible.
Passwords made up of three random words are harder to crack, and do not reuse password across multiple accounts.