In a troubling sign for luxury retail cybersecurity, Louis Vuitton has confirmed a data breach that compromised personal information belonging to customers in the United Kingdom. The cyberattack, which occurred on July 2, 2025, marks the third known incident targeting LVMH systems in the past three months.

The breach exposed sensitive details such as customer names, contact information, and purchase history, according to a statement released by the company.

“This incident is deeply regrettable. We are fully cooperating with the authorities and have taken immediate steps to contain the breach,”
— Louis Vuitton spokesperson

Pattern of Global Exposure

This latest breach follows a similar cyberattack on Louis Vuitton’s South Korean operations, further raising concerns about the cybersecurity posture of luxury conglomerate LVMH (Moët Hennessy Louis Vuitton).

“The nature of these attacks underscores the evolving threat landscape facing global retailers. No brand—no matter how prestigious—is immune,”
— Marc Delattre, Cybersecurity Analyst

Regulatory Response and Next Steps

Louis Vuitton has formally notified the U.K. Information Commissioner’s Office (ICO) and launched an internal investigation. Under GDPR, companies are required to notify both regulators and affected customers when a breach presents a high risk to individual privacy.

“We are conducting a preliminary review and expect the company to keep affected individuals informed,”
— ICO Spokesperson

LVMH stated that it is taking further measures to strengthen cybersecurity controls, and ensure such incidents are not repeated.

What You Can Do if You’re Affected

Customers in the U.K. who have recently interacted with Louis Vuitton are advised to:

• Monitor emails for breach notification
• Be cautious of phishing attempts
• Review any suspicious account activity
• Contact Louis Vuitton support for confirmation and support

A cyberespionage group with strong ties to the Iranian state has reemerged, targeting multiple organizations across the Middle East using an enhanced variant of the Pay2Key ransomware. According to recent threat intelligence shared by Check Point Research and corroborated by Israeli CERT, the new wave of attacks includes data theft, wiper components, and credential harvesting, suggesting an evolution beyond classic ransomware-for-profit motives.

Threat Actor Profile: Pay2Key

Pay2Key first surfaced in late 2020, known for ransomware attacks against Israeli firms. While earlier variants focused on fast encryption and ransom notes dropped across corporate environments, recent activity ties the group directly to Iranian threat actor clusters affiliated with APT39 and Agrius.

The group is now believed to be part of Tehran’s broader cyber-espionage apparatus, using ransomware as both a smokescreen and a disruptive geopolitical weapon.

Technical Details of the Attack Chain

The recent campaign exhibits a high level of tactical sophistication:

1. Initial Access

• Exploited public-facing VPN services and unpatched Microsoft Exchange servers
• In some cases, brute-force attacks on remote desktop services (RDP) were successful due to weak credentials

2. Credential Dumping and Lateral Movement

• Deployed Mimikatz and custom LSASS scrapers to extract credentials
• Used PsExec, WMI, and SMB to propagate across the network

3. Payload Deployment

• The updated Pay2Key binary is packed with UPX and uses AES-256 encryption
• Ransom note includes references to “Zionist collaborators” and demands payments in Monero (XMR), a privacy coin harder to trace than Bitcoin

4. Exfiltration and Destruction

• Files exfiltrated via Mega.io API or command-and-control (C2) servers hosted in Russia and Turkey
• In some cases, wiper modules were deployed post-encryption, designed to destroy shadow copies and render recovery impossible

Attribution and Geopolitical Implications

Researchers attribute the campaign to Iranian-backed actors based on:

• Code reuse from prior Agrius malware families
• IP infrastructure historically linked to APT39
• Political messaging within ransom notes

Israeli cybersecurity agencies believe the attack is part of a broader campaign to destabilize regional tech and financial sectors, rather than a simple financial crime. This hybrid of cybercrime and cyberwarfare further blurs attribution lines and complicates international response.

Indicators of Compromise (IOCs)

• IP addresses: 185.220.101.1, 213.108.105.12
• SHA256 Hash: a92fe9be6f4c1c72e935dbf6f...
• Domains: command-center[.]xyz, megasend[.]host
• Ransom Note Filename: PAY_OR_ELSE.txt

Security teams should monitor traffic for outbound connections to these IOCs and block suspicious DNS resolutions and exfiltration channels.

Mitigation Recommendations

• Patch Microsoft Exchange and Fortinet VPNs immediately
• Implement strict RDP controls and MFA on all remote services
• Segment internal networks and disable lateral movement tools
• Backup critical systems offline; validate restore procedures regularly
• Deploy EDR/XDR solutions capable of detecting fileless or lateral attacks

Expert Quote

“This isn’t just ransomware. It’s cyberwarfare disguised as extortion,” said Amir Sadoughi, a senior threat researcher at Tel Aviv-based CyberDome. “The Pay2Key group is deploying a multi-purpose toolkit that aims to destroy, not profit.”

Conclusion

The return of Pay2Key signals an escalation in the use of ransomware as a geopolitical tool, especially in regions under rising cyber tension. Organizations in the Middle East and allied tech sectors must heighten threat hunting efforts and ensure IR (incident response) readiness.

Fortinet has issued a critical security update for its widely deployed FortiOS operating system, addressing a zero-click remote code execution (RCE) vulnerability that could allow unauthenticated attackers to gain full control of vulnerable devices.

The flaw, tracked as CVE-2024-21762, carries a CVSS score of 9.6 and affects several versions of FortiOS, the core operating system powering Fortinet’s flagship FortiGate firewalls and security appliances. According to Fortinet’s advisory, the vulnerability resides in the SSL VPN interface, and successful exploitation does not require user interaction or prior authentication.

Technical Overview

• CVE: CVE-2024-21762
• CVSS Score: 9.6 (Critical)
• Vulnerability Type: Unauthenticated Remote Code Execution
• Affected Component: SSL VPN (FortiOS)
• Attack Vector: Network-based
• User Interaction: None required

Fortinet confirmed that the vulnerability stems from improper validation of user input within the SSL VPN interface, allowing attackers to craft specially designed requests that can lead to arbitrary code execution on the underlying system.

Impacted Versions

The vulnerability affects the following versions of FortiOS:

• FortiOS 7.0.0 through 7.0.13
• FortiOS 7.2.0 through 7.2.5
• FortiOS 6.4.0 through 6.4.13

Fortinet recommends upgrading immediately to one of the patched versions:

• FortiOS 7.0.14
• FortiOS 7.2.6
• FortiOS 6.4.14

The company also strongly advises disabling the SSL VPN interface if a patch cannot be immediately applied, especially if it is exposed to the internet.

Exploitation in the Wild

While Fortinet has not confirmed exploitation at the time of publication, multiple threat intelligence groups have warned that threat actors are actively scanning for exposed FortiGate SSL VPN portals, and exploit code is expected to surface in the public domain shortly.

Given Fortinet’s history—including CVE-2022-40684, which was heavily weaponized by ransomware operators and APT groups—this new vulnerability is likely to draw swift attention from state-sponsored and financially motivated adversaries.

Mitigation and Recommendations

• Upgrade immediately to the latest FortiOS version (7.0.14, 7.2.6, or 6.4.14)
• Disable SSL VPN temporarily if patching is not feasible
• Monitor logs for suspicious activity on port 443/TCP
• Review user authentication logs and configuration changes
• Apply external access controls or geofencing to limit public exposure

Fortinet’s Statement

“We strongly encourage customers to upgrade to the latest patched release. Protecting the digital infrastructure of our clients is our highest priority, and we appreciate the rapid response from our community in deploying critical fixes,” the company said in its advisory.

Conclusion

This latest FortiOS vulnerability highlights the continued risks posed by edge-exposed VPN services in enterprise environments. Organizations relying on Fortinet solutions should prioritize patching and consider long-term mitigations, such as multi-factor authentication, segmentation, and routine firmware audits, to reduce their attack surface.