Cyber Victor – a leading blog on cyber security

A recent Louis Vuitton data breach affected 419,000 customers in the UK, South Korea, Turkey, Italy, Sweden and possibly more countries. Customers of the French luxury retailer Louis Vuitton are being notified of a data breach.

Breached information included names, passport details, addresses, email addresses, phone numbers, shopping history and product preferences. Hong Kong’s Office of the Privacy Commissioner said it started investigating the data breach.

In statements emailed by LVMH to affected users, no payment information was affected.

LVMH said the French head office had found suspicious activities on its computer system on June 13, 2025, discovered Hong Kong customers were affected on July 2, and then reported the breach to the Hong Kong watchdog on July 17.

Read more about it here.

Security researchers Ian Carroll and Sam Curry revealed multiple vulnerabilities in the McDonald’s AI-powered hiring platform, McHire, that exposed the personal information of over 64 million job applicants.

The root of the problem was surprisingly simple: McHire’s administrative interface, designed for restaurant franchisees, accepted the incredibly insecure username and password combination of “123456”. That and an insecure direct object reference (IDOR) allowed to gain entry and immediately granted access to live administrative dashboards. This in turn allowed to access to any inbox to retrieve the personal data of more than 64 million applicants.

Personal information included names, emails, phone numbers, jobs details and chat logs between applicants and McDonald’s AI recruiter, which could have included additional personal information.

McDonald responded swiftly:

June 30, 2025 5:46PM ET: Disclosed to Paradox.ai and McDonald’s
June 30, 2025 6:24PM ET: McDonald’s confirms receipt and requests technical details
June 30, 2025 7:31PM ET: Credentials are no longer usable to access the app
July 1, 2025 9:44PM ET: Followed up on status
July 1, 2025 10:18PM ET: Paradox.ai confirms the issues have been resolved

Read more about it here.

Researchers announced the discovery of what seems to be the largest data breach ever recorded, with an astonishing 16 billion login credentials exposed online. The ongoing investigation, which began earlier in 2025, suggests that the credentials were collected through multiple infostealer malware strains.

The report published by CyberNews, says:

• The records are scattered across 30 different datasets, and some records are or might be overlapping
• The data most likely comes from various infostealers
• The data is recent, not merely recycled from old breaches

The data, structured by URL, login, and password, targets services like Apple, Google, Facebook, Telegram, GitHub, and some government portals.

The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances.

How should we all boost our online protection?

• Use long and complex passwords
• Enable multi-factor authentication (MFA) whenever it is offered
• Use biometric authentication if available, such as fingerprint recognition and facial scan
• Use password managers
• Change old passwords to stronger passwords
• When you receive a text message or an email, don’t trust anyone

Read more about it here.

Luxury jewelry company Cartier disclosed on June 3, 2025 that it had its web site hacked and some client data stolen.

Cartier, whose watches, necklaces and bracelets have been worn by celebrities such as Taylor Swift, Madonna and Angelina Jolie, said to its customers: “We are writing to inform you that an unauthorized-party gained temporary access to our system and obtained limited client information”.

“We contained the issue and have further enhanced the protection of our systems and data.”

The company said that the compromised information included names, email addresses, and countries where the customer resides.

Cartier stresses that the breach did not include more sensitive data, such as passwords, credit card numbers, or banking details.

It asked its customers to remain alert for any unsolicited communications or any other suspicious correspondence.

Read more about it here.

Apple revealed on May 27, 2025 that it prevented over $9 billion in fraudulent transactions in the last five years, including more than $2 billion in 2024 alone, highlighting its ongoing efforts to keep users safe.

Some of the other noteworthy statistics shared by Apple for 2024 are:

• Detected and blocked more than 10,000 illegitimate apps on pirate storefronts.
• Stopped nearly 4.6 million attempts to install or launch apps distributed illicitly outside the App Store or approved third-party marketplaces.
• Rejected more than 1.9 million App Store submissions for failing to meet Apple’s standards for security, reliability, privacy violations, or fraud concerns.
• Removed more than 37,000 apps for fraudulent activity.
• Rejected over 43,000 app submissions for containing hidden or undocumented features.
• Rejected over 320,000 submissions that copied other apps, were found to be spam, or otherwise misled users
• Rejected 400,000 app submissions for privacy violations.
• Removed more than 143 million fraudulent ratings and reviews from the App Store.
• Identified nearly 4.7 million stolen credit cards and banned over 1.6 million accounts from transacting again.

Read more about it here.

Google will pay Texas $1.375 Billion to settle two lawsuits over tracking users locations and storing biometric data without consent. This amount far exceeds previous fines over its location tracking practices: In November 2022, it paid $391 million to a group of 40 states. In January 2023, it paid $29.5 million to Indiana and Washington. In September 2023, it paid another $93 million to California.

Filed in 2022, the case accused Google of unlawfully tracking geolocation, incognito searches, and collecting biometric data without consent, even with Location History turned off.

The settlement represents a major privacy victory for Texas and a stark warning to companies against violating user trust.

Read more about it here.

Luxury UK retailer and department store Harrods confirmed on May 1, 2025 a cyberattack. This is the third UK retailer suffering a cyberattack, following earlier cyber-attacks on Co-operative Group (Co-op) and Marks and Spencer (M&S).

“We recently experienced attempts to gain unauthorised access to some of our systems.” reads a statement published by the company. “Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.”

“Currently all sites including our Knightsbridge store, H beauty stores and airport stores remain open to welcome customers. Customers can also continue to shop via harrods.com.”

As of this writing, none of the retailers affected have instructed customers to take any action.

A hacking group called Scattered Spider is believed to be behind the M&S cyberattack.

Read more about it here.

WhatsApp has introduced an extra layer of privacy called Advanced Chat Privacy, that allows users to block participants from sharing the contents of a conversation in both traditional chats and chat groups.

“This new setting available in both chats and groups helps prevent others from taking content outside of WhatsApp for when you may want extra privacy,” WhatsApp said in a statement.

When this optional feature is enabled, it prevents other chat participants from exporting chats, auto-downloading media to their phone, and using messages for AI features. It’s worth noting that users can still take individual screenshots, or manually download the media.

​The new Advanced Chat Privacy feature is part of a broader effort to make communicating using WhatsApp more secure.

Read more about it here.

Car rental giant Hertz has announced and begun notifying its customers of a data breach that included their personal information and driver’s licenses. The data breach affected at least 100,000 customers.

The rental company, which also owns the Dollar and Thrifty brands, said in notices on its website that the breach relates to a cyberattack on one of its vendors, Cleo, providing file transfer platform used by Hertz.

“On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.”

The stolen data varies by individual and region, but includes customer names, contact information, date of birth, credit card information, driver’s license information and information related to workers’ compensation claims. Hertz said a smaller number of customers had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID, or injury-related information associated with vehicle accident claims, were impacted by the event.

Hertz has disclosed the breach with several US states, including California, Maine, and Texas. Hertz said at least 3,400 customers in Maine were affected, and some 96,665 customers in Texas, but neither listed the total number of affected individuals.

Read more about it here.

Laboratory Services Cooperative (LSC) is a non-profit US organization providing laboratory services, primarily to Planned Parenthood clinics, in 31 states. It is based in Seattle, Washington.

“On October 27, 2024, LSC identified suspicious activity within its network,” reads the notice.

“In response, LSC immediately engaged third-party cybersecurity specialists to determine the nature and scope of the incident and notified federal law enforcement.”

“The investigation revealed that an unauthorized third party gained access to portions of LSC’s network and accessed/removed certain files belonging to LSC.”

The information exposed for each individual varies and may include one or more of the following data types:

Personal identifiers: Full name, SSN, driver’s license or passport number, date of birth, and government-issued IDs.
Medical info: Dates of service, diagnoses, treatments, lab results, provider, and facility details.
Insurance info: Plan type, insurer, and member/group ID numbers.
Billing and financial data: Claims, billing details, bank and payment card info.
According to an April 10, 2025 filing submitted to the Maine’s AG Office, the data breach impacts 1,600,000 people.

For LSC employees, the breach may also include information about their dependents or beneficiaries, if such details were provided to LSC.

Read more about it here.