Following an investigation into Dior‘s customer data breach in May, China‘s Public Security Bureau’s Cybersecurity Department has decided to impose a fine on Dior‘s Shanghai subsidiary, according to a statement published on the department’s official Wechat Account.

The investigation found that Dior violated consumer rights protected by China‘s Personal Information Protection Law, which was issued in late 2021. The amount of the fine was not disclosed.

Violations cited by the announcement include “illegally transmitting user’s personal information to Dior’s headquarters in France without undergoing a security assessment, signing a standard contract for cross-border personal data transfer, or obtaining personal information protection certification; failure to obtain proper user’s ‘separate and explicit consent’; and inadequate data security measures, such as adopting encryption or data de-identification, when handling the personal information it collected.”

The announcement also included a safety reminder that urged companies to tighten cybersecurity practices when handling Chinese citizens’ personal data. 

“Personal information processors should take this case as a warning, [companies should] strictly follow the principles of lawfulness, necessity, and good faith,” it said.

Regulators also called on companies to strengthen controls across “the entire data lifecycle,” including data collection, storage, processing, sharing and deletion. 

WWD has reached out to Dior for a comment.

In mid-May, Dior confirmed a data breach that was targeted at the brand’s fashion and accessories customers and that it immediately took steps to contain the incident.

According to a text message sent to customers, which quickly began circulating online and picked up by local media, the LVMH Moët Hennessy Louis Vuitton-owned brand discovered that on May 7, an unauthorized external individual had stolen certain customer data.

Compromised personal information of Dior shoppers included name, gender, mobile phone number, email address, mailing address, spending level, shopping preferences and other information that the shopper might have included voluntarily. However, customers’ financial information, including bank account or payment card information, was not affected, the text message noted.

“We are working to notify relevant regulators and customers in line with applicable law. The confidentiality and security of our customers’ data is an absolute priority for the house of Dior. We sincerely regret any concern or inconvenience this matter may cause our customers,” a Dior spokesperson said at the time.

The breach may have also extended to neighboring South Korea. According to local media reports, Dior notified the South Korean Personal Information Protection Commission about the breach.