Luxury fashion house Dior is facing mounting criticism in South Korea for failing to properly report a customer data breach that exposed sensitive information of local users. Despite notifying one government agency, Dior neglected to inform the Korea Internet & Security Agency (KISA)—a legal requirement—raising concerns about corporate transparency and compliance in cross-border data handling.
Cross-Border Breach, Domestic Fallout
On May 7, Dior discovered that an unauthorized third party had gained access to some of its global customer data, including contact details and purchase preferences. While no financial or payment data was reportedly compromised, the breach involved personal information of Korean customers—triggering obligations under South Korea’s Information and Communications Network Act.
Though Dior published a notice on its website and reported the incident to the Personal Information Protection Commission (PIPC), it failed to notify KISA, the Korea Internet & Security Agency, which plays a central role in handling cybersecurity and data protection incidents.
ALSO READ: FCRF Launches Campus Ambassador Program to Empower India’s Next-Gen Cyber Defenders
According to a source this omission represents a clear breach of legal obligations under Article 48, Paragraph 3, which requires immediate notification to either the Ministry of Science and ICT or KISA for any data breach affecting local users.
“Regardless of where the breach originates, if Korean consumers are affected, notification is mandatory,” the source emphasized.
Regulatory Repercussions and Industry Oversight
KISA reportedly had to initiate contact with Dior Korea to explain the oversight, highlighting a concerning pattern of non-compliance among corporations operating in Korea. If the Ministry of Science and ICT determines that Dior violated reporting obligations, the company could face fines up to 30 million won (~$21,180).
The incident comes just weeks after a high-profile breach at SK Telecom, which delayed its own breach notification by two days. Both incidents are prompting lawmakers and regulators to question whether the tech and retail sectors are sufficiently informed about the nuances of Korea’s data breach laws.
“There appears to be a lack of awareness or preparedness across industries when it comes to mandatory data breach reporting,” said a spokesperson. “If a global brand like Dior fails to comply, it raises concerns about the broader culture of compliance.”
Data Privacy Under the Spotlight in Korea
Korea, known for its stringent privacy regulations, has in recent years stepped up enforcement amid growing digital vulnerabilities. The Information and Communications Network Act explicitly covers international entities if domestic users are affected, underscoring Korea’s assertive jurisdictional stance on data protection.
Also Read: Attention Startups! Showcase Your Smart Policing Solutions on India’s Biggest Stage
Dior’s failure to notify the appropriate agency has drawn public and political scrutiny not only for legal non-compliance but also for its potential impact on consumer trust in luxury brands.
Although Dior has claimed the breach did not affect its Korean subsidiary, legal experts argue that cross-border corporate structures cannot be used to sidestep accountability.
Korean lawmakers are now calling for greater clarity, proactive training, and mandatory briefings for foreign entities operating in the Korean market to avoid similar lapses in the future.