(Yicai) Sept. 10 -- The Cyberspace Administration of China has imposed an administrative penalty on the Shanghai unit of Dior, a luxury brand under LVMH, for transferring customers' personal data to its headquarters in France without authorization and failing to implement the required safeguards.

Following a data breach in May, Chinese watchdogs probed Dior Shanghai and found that the company had committed three violations, the cyber police announced yesterday. First, it transferred customers' personal data to Dior's Paris HQ without undergoing a security assessment for data export, completing a standard contract to export such information, or obtaining personal information protection certification.

Second, Dior Shanghai did not inform its customers about how the recipient would handle the data before providing it, nor did it obtain their separate consent, the regulator noted. Third, it failed to implement security measures such as data encryption and de-identification.

The specific penalties imposed on Dior have not been disclosed yet.

On May 7, Dior Shanghai detected that an unauthorized external party had accessed and obtained some customer data held by the company, including names, gender, phone numbers, email addresses, and mailing addresses, as well as purchase history and consumption preferences.

Multiple Dior customers in China received warning text messages from the company that their personal data may have been compromised on May 12.

Several other luxury brands have also experienced customer data breaches in China this year. In June, some shoppers said they received an email that Cartier's system was compromised and there had been a data leak, while Louis Vuitton announced a data breach affecting almost 420,000 customers in Hong Kong in July.

Many luxury brands have gone through a digital transformation, but they have relatively lax management when it comes to data, according to industry insiders. The customer data of some major brands is scattered across multiple locations, broadly classified, and lacks clear boundaries, making it difficult to implement unified, strict, tiered security and dynamic risk control, they pointed out.

Editor: Martin Kadiev