Incident Types: The types of cybersecurity incidents that have occurred include Breach and Cyber Attack.

Total Financial Loss: The total financial loss from these incidents is estimated to be $500 thousand.

Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with yes (systems secured post-breach), and law enforcement notified with implied (followed advice not to pay ransom), and containment measures with secured it systems, containment measures with revoked unauthorized access, and internal with none, external with emailed affected customers (no public statement), transparency level with low (no details on number of victims or public disclosure), and incident response plan activated with likely (not confirmed), and third party assistance with cybersecurity forensics (assumed), third party assistance with legal counsel (assumed), and containment measures with salesforce account lockdown (assumed), containment measures with password resets, containment measures with session termination, and remediation measures with customer notification (pending), remediation measures with credit monitoring (likely), remediation measures with salesforce security review, and communication strategy with internal (confirmed), communication strategy with public disclosure (pending), and enhanced monitoring with likely (assumed)..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Compromised employee credentials (Salesforce logins) and Compromised Salesforce Credentials (likely phishing or credential stuffing).

Average Financial Loss: The average financial loss per incident is $250.00 thousand.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal Data (Emails), Transaction Data (Total Sales), Customer Profiles, , Personally Identifiable Information (Pii), Customer Profiles, Purchase Histories (Likely) and .

Incident Response Plan: The company's incident response plan is described as Yes (systems secured post-breach), Likely (not confirmed).

Third-Party Assistance: The company involves third-party assistance in incident response through Cybersecurity Forensics (assumed), Legal Counsel (assumed), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Customer Notification (pending), Credit Monitoring (likely), Salesforce Security Review, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by secured it systems, revoked unauthorized access, , salesforce account lockdown (assumed), password resets, session termination and .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Potential class-action lawsuits, Regulatory investigations (e.g., CNIL in France), .

Key Lessons Learned: The key lessons learned from past incidents are Third-party risk management failures (Salesforce compromise),Inadequate MFA or credential protection for critical cloud accounts,Delayed public disclosure increases reputational risk,Luxury brands are high-value targets for data theft and extortion.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Establish a transparent breach disclosure timeline to maintain customer trust, Implement strict MFA for all cloud accounts (especially CRM systems like Salesforce), Enhance monitoring for unusual data access patterns in cloud environments, Conduct third-party security audits for vendors handling customer data and Develop a pre-negotiated incident response plan with cybersecurity firms.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: BBC News, and Source: Google Threat Analysis Group (UNC6040 warning), and Source: DataBreaches.netUrl: https://www.databreaches.netDate Accessed: 2025-09-16, and Source: Risky Business NewsletterUrl: https://risky.bizDate Accessed: 2025-09-16.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Internal (Confirmed) and Public Disclosure (Pending).

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were None (no public statements), Emailed notifications to affected individuals and Pending (likely to include credit monitoring offers).

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Cybersecurity Forensics (Assumed), Legal Counsel (Assumed), , Likely (assumed).

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Mandatory Mfa For All Salesforce Users, Real-Time Alerting For Bulk Data Exports, Isolation Of Subsidiary Data Within Salesforce, Employee Training On Phishing And Credential Hygiene, .

Ransom Payment History: The company has Paid ransoms in the past.

Last Ransom Demanded: The amount of the last ransom demanded was Yes (amount undisclosed, demanded in Bitcoin).

Last Attacking Group: The attacking group in the last incident were an Name: Shiny Hunters (aka UNC6040)Type: Individual/Cybercriminal GroupMotivation: ['Financial Gain (Ransom Demand)' and 'Data Theft for Resale']Known Aliases: ['UNC6040'].

Most Recent Incident Detected: The most recent incident detected was on 2023-06.

Highest Financial Loss: The highest financial loss from an incident was $500,000 (ransom demanded, unpaid) + potential regulatory fines and remediation costs.

Most Significant Data Compromised: The most significant data compromised in an incident were Customer Records: 7400000, Details: ['Email addresses', 'Total Sales (purchase history)', 'Customer spending patterns'], , Customer Records: 7400000, Details: ['Email addresses', 'Total Sales (purchase history)', 'Customer spending patterns'], , 56 million customer records (43M Gucci and 13M other brands).

Most Significant System Affected: The most significant system affected in an incident was Internal Salesforce softwareCustomer databases and Salesforce CRMCustomer Databases.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was cybersecurity forensics (assumed), legal counsel (assumed), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Secured IT systemsRevoked unauthorized access and Salesforce Account Lockdown (assumed)Password ResetsSession Termination.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were 56 million customer records (43M Gucci and 13M other brands).

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 56.0M.

Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was $500,000.

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Potential class-action lawsuits, Regulatory investigations (e.g., CNIL in France), .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Luxury brands are high-value targets for data theft and extortion.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Establish a transparent breach disclosure timeline to maintain customer trust, Implement strict MFA for all cloud accounts (especially CRM systems like Salesforce), Enhance monitoring for unusual data access patterns in cloud environments, Conduct third-party security audits for vendors handling customer data and Develop a pre-negotiated incident response plan with cybersecurity firms.

Most Recent Source: The most recent source of information about an incident are DataBreaches.net, Risky Business Newsletter, BBC News and Google Threat Analysis Group (UNC6040 warning).

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.databreaches.net, https://risky.biz .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (company claims systems secured; no further updates).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was None (no public statements), .

Most Recent Customer Advisory: The most recent customer advisory issued were an Emailed notifications to affected individuals and Pending (likely to include credit monitoring offers).

Most Recent Entry Point: The most recent entry point used by an initial access broker was an Compromised employee credentials (Salesforce logins).

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Unknown (breach detected in June, occurred in April).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Social engineering (phished credentials)Insufficient multi-factor authentication (MFA) on SalesforceLack of early detection (breach undetected for ~2 months), Weak authentication for Salesforce admin accountsLack of continuous monitoring for anomalous data accessInsufficient segmentation between Kering subsidiaries' data in SalesforceDelayed detection (breach occurred in June, disclosed later).

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Mandatory MFA for all Salesforce usersReal-time alerting for bulk data exportsIsolation of subsidiary data within SalesforceEmployee training on phishing and credential hygiene.