Data Breach at French Fashion Giant Chanel Linked to Ongoing Salesforce Attacks

News Analysis: Data of French Fashion Giant Chanel are Leaked

French fashion giant Chanel is the latest high-profile company to suffer a data breach, confirming that threat actors gained access to a database hosted at a third-party service provider. The breach, detected on July 25th, affected a subset of U.S. customers who had contacted the company’s client care center. The exposed data was limited to names, email addresses, mailing addresses, and phone numbers.

While Chanel has not publicly named the third-party provider, Brinztech’s analysis, aligned with multiple security reports, indicates the data was stolen from the company’s Salesforce instance. This attack is part of an ongoing wave of sophisticated data-theft attacks conducted by the notorious ShinyHunters extortion group, which has also compromised other major brands like Adidas, Qantas, Allianz Life, and LVMH brands including Louis Vuitton and Dior. The attacks are a result of social engineering, not a compromise of the Salesforce platform itself.

Key Cybersecurity Insights into the Chanel Breach

This data breach carries several critical implications:

• Social Engineering and Vishing as the Attack Vector: The attack was not a traditional hack of the Salesforce platform but rather a sophisticated social engineering campaign. Threat actors used vishing (voice phishing) to impersonate IT support staff and trick employees into compromising their credentials or authorizing a malicious OAuth app. This highlights the growing threat of human-centric attacks that bypass traditional perimeter defenses.
• Third-Party and Supply Chain Risk: The breach occurred via a third-party service provider, underscoring the critical importance of a robust third-party risk management program. Companies are not only responsible for their own security but also for the security of their vendors and their clients’ data. In this case, Salesforce provided the platform, but the security failure was at the client’s end, highlighting a shared responsibility for data protection.
• Targeted Extortion and Financial Motivation: The threat actor, ShinyHunters, is a known extortion group that sells stolen data on the dark web. The data from these Salesforce attacks is being used as leverage in extortion demands, not for a public leak. This means that companies are being pressured to pay a ransom to prevent the data from being sold to other malicious actors.
• Violation of U.S. Data Breach Notification Laws: As the breach affected customers in the United States, Chanel is subject to the data breach notification laws of the states where those customers reside. While there is no single federal law, all 50 states have their own laws requiring companies to notify affected individuals and, in many cases, state attorneys general. Failure to comply can result in fines and legal action. The FTC also has the power to enforce data security standards under the FTC Act, and has warned companies that compliance with state laws may not be enough if they fail to disclose information to help parties mitigate harm.

Critical Mitigation Strategies for Chanel and Other Companies

In response to this incident, immediate and robust mitigation efforts are essential for Chanel and any other company that uses a third-party service provider:

• MFA Enforcement and Least Privilege: As recommended by Salesforce, companies must enforce multi-factor authentication (MFA) for all users, especially those with privileged access. It is also critical to implement the principle of least privilege, ensuring that employees only have access to the data and systems they need for their job role.
• Security Awareness Training: Companies must conduct thorough security awareness training for all employees, with a specific focus on identifying and avoiding vishing and other social engineering attacks. This training should emphasize the importance of not sharing credentials or authorizing unknown apps, even if the request appears to come from a trusted source like IT.
• OAuth App Management: Organizations must carefully manage and monitor the OAuth apps that are connected to their third-party services. It is critical to regularly review which apps have been granted access, what permissions they have, and to immediately revoke access for any app that is not essential for business operations.
• Incident Response Plan Review: Companies must review and update their incident response plan to address potential data breaches involving third-party platforms. This plan should include a communication strategy for notifying affected customers and regulatory bodies, as well as procedures for containing the breach and remediating any damage.

Need Further Assistance?

If you have any further questions regarding this critical incident, suspect your personal data or your organization’s sensitive information may be compromised, or require advanced cyber threat intelligence and dark web monitoring services, you are encouraged to use the ‘Ask to Analyst’ feature to consult with a real expert, contact Brinztech directly, or, if you find the information irrelevant, open a support ticket for additional assistance.