Over the past week, weaknesses across retail, telecommunications, energy, and public infrastructure triggered fines, investigations, and closer scrutiny.
Here is a closer look at the cases that stood out.
Louis Vuitton, Dior, and Tiffany Fined $25 Million Over Customer Data Breaches
South Korea’s Personal Information Protection Commission (PIPC) has imposed a combined $25 million fine on Louis Vuitton, Christian Dior Couture, and Tiffany & Co. after data breaches exposed personal information linked to more than 5.5 million customers.
While the incidents affected different brands, regulators traced all three cases to weaknesses in cloud-based customer management systems. Each breach originated from compromised credentials, which provided attackers with access to internal platforms storing customer data.
At Louis Vuitton, malware on an employee device enabled credential theft and unauthorised access to records connected to 3.6 million customers. The scale of the exposure resulted in a $16.4 million penalty, the largest of the three fines.
Christian Dior Couture faced a similar outcome following a phishing attack that compromised nearly 2 million customer records. In addition to the breach itself, the company was penalised for failing to notify authorities within the required 72-hour window, bringing its total fine to $9.4 million.
Tiffany & Co. received a $1.85 million fine after a voice-phishing incident led to unauthorised access to 4600 customers’ data.
In its ruling, the commission made clear that the use of third-party SaaS platforms does not transfer accountability. Organisations remain fully responsible for securing customer data, regardless of where or how that data is processed.
Conduent Incident Grows to 25 Million Affected Individuals
The risks tied to third-party service providers became more apparent following updated disclosures from Conduent. What initially appeared limited in scope now points to potential exposure affecting at least 25 million individuals.
This surge in numbers follows recent regulatory filings in two key states. In Oregon, authorities confirmed that the breach impacted over 10 million individuals. This was compounded by a massive update to the Texas Attorney General, where the count of affected residents jumped from an initial estimate of 4 million to more than 15.4 million.
The Safepay ransomware group has claimed responsibility for the attack. Although the intrusion began in late 2024, confirmation across partners took more than a year.
Odido Breach Exposes 6.2 Million Customer Records
Dutch telco provider Odido confirmed its customer contact management system was breached, affecting an estimated 6.2 million individuals.
The exposed data includes names, home addresses, phone numbers, and IBAN bank details. Passwords, call records, and identity document scans were not involved. Despite these exclusions, the volume of exposed data has drawn attention from the Dutch Data Protection Authority.
Odido has closed the point of access and begun notifying affected customers. The company also warned that the stolen information could be used in fraud or phishing campaigns, particularly given the inclusion of financial identifiers.
Conpet Reports 1TB Data Theft Following Ransomware Attack
Romania’s national oil pipeline operator Conpet S.A. announced that the Qilin ransomware group exfiltrated nearly one terabyte of internal data during an attack on its corporate IT environment.
Operational technology and SCADA systems remained isolated, preventing disruption to oil transport. However, the stolen data includes financial records, vendor details, and employee passport scans.
Investigators believe the breach originated from an IT administrator’s personal device infected with infostealer malware, which exposed VPN credentials. Conpet is working with the Romanian National Cyber Security Directorate and has issued warnings about potential misuse of the stolen information.
Nigeria Mandates 48-Hour Breach Notifications for Telecoms
The Nigerian Communications Commission has issued a directive under the revised Internet Code of Practice 2026 requiring telecom operators to notify both affected subscribers and the regulator within 48 hours of detecting a data breach.
Operators must submit an initial notice within the two-day window, even if details remain incomplete, followed by a full report within 14 days. The rule is intended to reduce exposure to identity theft and financial fraud by accelerating disclosure.
Learn more about cyber threats and how to stay prepared in our 2026 Cyber Threat Outlook.
You can also join our newsletter to get security updates delivered straight to your inbox.