Milano-based luxury fashion brand Moncler has confirmed a data breach after a ransomware attack that disrupted its IT service during Christmas.
In a short update Jan. 3, the fashion house said it had detected unauthorized access to personal data on its systems and that it had contacted the local data protection agency and police.
However, in a press release from Jan 18, Moncler provided additional details of the cyberattack that delayed many order shipments during the holidays. According to the company, the attackers managed to steal information of employees and customers – data that has now been put up for sale on the dark web.
“Concerning the cyberattack reported in the press releases date 23 and 30 December 2021, Moncler informs that the Company has received a ransom demand which has been rejected, firmly believing the request to be against its founding principles,” reads the data breach notification, shared with Bleeping Computer. “As a result of this decision some data, that was exfiltrated by cybercriminals, have been published on the dark web today. While the investigation related to the attack is still ongoing, Moncler confirms that the stolen information refers to its employees and former employees, some suppliers, consultants and business partners as well as customers registered in its database.”
The attack was orchestrated by the AlphV/BlackCat ransomware gang, which is now trying to sell information belonging to “rich customers” via their data leak website.
Although the luxury fashion house provided no comprehensive list of the data sets stolen during the attack or number of affected customers, it has assured that “no data relating to credit cards or other means of payment have been exfiltrated, as the company does not store such data on its systems.”
According to Bleeping Computer’s analysis of the ransomware gang’s leak website, the threat actors are now attempting to cash in.
“The brand sold all of you for $3m,” the post reads. “If you’re interested in buying the information about rich customers feel free to reach us.”
Moncler has also advised customers to be wary of fake messages impersonating official communications from the company, and to avoid using the same ID and password provided during registration on other websites.
Are you a data breach victim? Time to find out with Bitdefender Digital Identity Protection service. Once subscribed you get real-time data breach notifications, as well as a mapping of your digital footprint to help you keep tabs on your digital exposure and manage your privacy.