Cyber Incident Victim: Christian Dior
Date:
Jan 2025
Location:
United States of America
Summary
Christian Dior faced multiple class action lawsuits alleging failure to protect customer data following a third-party Salesforce breach that exposed unencrypted personal information, including names, addresses, birthdates, and government IDs. Plaintiffs claimed delayed breach detection and notification left customers vulnerable to identity theft and financial fraud, with some reporting fraudulent tax filings and unauthorized financial activity. The lawsuits accused the company of negligence and inadequate security practices but were voluntarily dismissed without prejudice, potentially impacting broader multidistrict litigation efforts against retail firms involved in the Salesforce-related cyberattack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In January 2025, a cyberattack exploiting vulnerabilities in Salesforce’s technology compromised Christian Dior Inc.’s customer data systems. The breach exposed sensitive personal information of U.S. customers, including names, addresses, birthdates, and unredacted government identification numbers stored in unencrypted formats. Attackers accessed this data through security gaps in the third-party Salesforce platform used by Dior. The company did not detect the intrusion until May 7, 2025, nearly four months after the initial breach occurred. Notification to affected individuals was delayed until mid-July 2025, approximately six months post-breach. This timeline left customers unaware of the exposure during the critical window when attackers could misuse their data. Plaintiffs later reported incidents of identity theft, fraudulent tax filings, and attempted financial fraud directly linked to the breach.

Five proposed class action lawsuits were filed against Dior in the Southern District of New York between June and July 2025 by plaintiffs from Illinois, Pennsylvania, California, and Florida. The cases—Toikach v. Christian Dior, Inc., Ansryan v. Christian Dior Inc., Holland v. Christian Dior, Inc., and Bhatt et al., v. Christian Dior, Inc.—alleged negligence, breach of implied contract, and unjust enrichment. Plaintiffs argued Dior failed to implement basic data safeguards, including encryption or redaction of sensitive information, and relied on a compromised third-party vendor without adequate oversight. The delayed detection and notification deprived customers of opportunities to mitigate risks promptly. On December 8-9, 2025, plaintiffs voluntarily dismissed all lawsuits without prejudice, ending litigation against Dior but leaving open the possibility of refiling. These dismissals occurred amid broader multidistrict litigation efforts involving nearly 100 similar cases tied to the Salesforce breach, potentially influencing the scope and momentum of remaining claims against other retailers.
