Louis Vuitton did not heed Salesforce’s warnings and security recommendations to protect against voice phishing attacks from cybercriminals who stole customer data from the fashion house last summer, a proposed class action claims.
A 48-page complaint, filed in New York federal court on Tuesday by Maryland resident Adriana Winkler, claims that Louis Vuitton failed to stop a preventable data breach by putting in place security measures against an anticipated hack, which Salesforce and Google had warned about. Let’s take a look at the details.
Louis Vuitton Proposed Class Action
The lawsuit, revealed on Law360, claims: “On March 12, 2025, Salesforce published a blog for its customers titled ‘Protect Your Salesforce Environment from Social Engineering Threats.’”
“Salesforce identified the specific types of voice phishing (‘vishing’) attack that would soon be used against Louis Vuitton and outlined five ‘proactive measures’ Louis Vuitton should, and ultimately did not, take to strengthen its data security access controls.”
The suit alleges that Salesforce recommended its corporate clients boost their networks to avoid voice phishing incidents.
Winkler filed the suit against Louis Vuitton in the Southern District of New York, claiming breach of implied contract, unjust enrichment, and a violation of the Maryland Consumer Protection Act, bringing the claims on behalf of a proposed nationwide class of everyone in the United States whose personal information was compromised in the attack from the ‘ShinyHunters’ hacking group.
Winkler requests that the court certify the proposed class, appoint lawyers to represent it and herself as class counsel, along with issuing injunctive relief making the company protect all the information it gathers throughout the course of its business.
She also suggested that Louis Vuitton destroy all the data – unless it has a reasonable justification to keep it – as well as hire third-party security auditors to carry out periodic testing of its systems, like penetration tests and simulated attacks.
Winkler also wants Louis Vuitton to pay the plaintiffs’ expenses that they incurred while handling the fallout and unauthorized use of their data, along with damages, legal fees, and costs, according to the suit.
Her suit claims that Google’s Threat Intelligence Group (GTIG) had echoed a warning from Salesforce on June 4, warning of the ShinyHunters group using social engineering “vishing” techniques.
Winkler said: “GTIG highlighted that ‘it’s essential for [Defendant] to configure and manage access, permissions, and user training according to best practices’ to prevent such data security incidents.”
The suit claims that ShinyHunters commenced its cyber attack on Salesforce and its corporate customers, including the defendant, in May 2025.
It is alleged that Louis Vuitton found out about the attack, later revealed to have taken place on June 7, but the company did not alert the people affected in the US until August 22.
Winkler claims: “Despite GTIG’s and Salesforce’s extensive and express warnings, Louis Vuitton failed to take appropriate steps to prevent the unauthorized access.”
SF Ben has contacted Salesforce, Louis Vuitton, and representatives of Winkler for comment.
The case filing claims that: “The data breach… occurred because Salesforce’s Data Loader portal, used by Louis Vuitton to import or export customer data, is easily mimicked by bad actors. The data breach at issue was highly preventable and perpetrated using techniques and vulnerabilities known to Defendant well in advance.”
It adds: “Plaintiff and Class Members have been substantially injured by Defendant’s data security failures. Plaintiff further believes that hers and Class Members’ PII has or will be published for sale on the dark web following the Data Breach, as that is the modus operandi of cybercriminals that commit cyberattacks of this type.
“As a result of the Data Breach, Plaintiff has suffered numerous injuries, including invasion of privacy, lost time and expenses mitigating the risk of data misuse, diminishment in value of her PII, and failing to receive the benefit of the bargain reached with Defendant.
“Plaintiff brings this action to hold Defendant accountable for its data security failures, enjoin its continued failure to implement basic and fundamental data security practices, and recover damages and all other relief available at law on behalf of themselves and members of the classes they seek to represent.”
The plaintiff demands a trial by jury on all claims so triable.
Previous Salesforce Customer Lawsuits
Winkler had been part of a proposed class action filed in November in the Northern District of California and led by Sieb Milton against Salesforce clients Louis Vuitton, TransUnion, and Qantas over the “hub-and-spoke” breach.
In that earlier suit, Milton had claimed the breaches took place through Salesforce’s Data Loader, which the threat actors had mimicked through voice phishing incidents. Milton alleged that Salesforce had warned clients in March about imminent attacks.
Several class action lawsuits were proposed in the Northern District of California against Salesforce due to the security incident and other corporate clients such as Farmers Insurance, Workday, and Pandora, according to a January 9 order signed by U.S. District Judge Jacqueline Scott Corley.
The order granted the plaintiffs’ joint stipulation and consolidation of actions, setting the process for the interim class counsel appointment.
Several motions to relate cases were filed as legal actions mounted over the ShinyHunters attack, with some claimants petitioning the Judicial Panel on Multidistrict Litigation (MDL) to transfer and centralize the related cases.
In October, TransUnion asked the panel to transfer and centralize the related matters against it, according to Judge Corley’s January 9 order.
The panel denied the Salesforce Multidistrict Litigation petition in December, but granted TransUnion’s MDL petition. The order said that the panel had eight related actions naming both TransUnion and Salesforce as defendants pending in the Northern District of California to be moved to the Northern District of Illinois.
That leaves the remaining related actions, which only named Salesforce as a defendant in California.
Some California cases, including Milton and Winkler’s, joined the action in Illinois on January 6.
The claims against Qantas, Salesforce, and Louis Vuitton were dismissed without prejudice on January 21, the docket says.
Summary
A lawsuit claims that Louis Vuitton did not heed Salesforce and Google’s warnings about an anticipated hack.
The suit alleges that Salesforce recommended its clients improve their security, but despite “extensive and express warnings”, Louis Vuitton did not take appropriate steps.
