Dior has escaped a handful of lawsuits over its handling of a cyberattack that exposed the personal data of customers in the U.S. The LVMH-owned brand was the target of five proposed class action cases filed in the Southern District of New York this summer, alleging that it failed to implement basic safeguards to protect sensitive customer information, leaving consumers vulnerable to identity theft, fraud, and long-term misuse of their data. In a filing on December 9, the plaintiffs alerted the court that they were voluntarily dismissing their cases against the luxury giant.
The dismissals mark a retreat in the broader wave of litigation targeting data breaches that have increasingly plagued retail companies, as consumers and regulators scrutinize how brands handle and protect sensitive customer information managed by third-party vendors like Salesforce.
The Background in Brief: In the wake of a January 2025 cyberattack, Christian Dior Inc. faced a wave of proposed class actions alleging it failed to safeguard the personal data of U.S. customers. Filed in the Southern District of New York by plaintiffs from Illinois, Pennsylvania, California, and Florida, the lawsuits claimed Dior stored sensitive information – including names, addresses, birthdates, and government ID numbers – in an unencrypted and unredacted format, making it easy for attackers to exploit once they gained access.
At the core of the complaints were allegations of delayed detection and disclosure. Christian Dior allegedly did not discover the breach until May 7 and did not notify affected individuals until mid-July – nearly six months after the initial breach in January, plaintiffs argued, left them unable to take timely protective steps. Some reported actual harm, including fraudulent tax filings and attempted financial fraud. The suits accuse Dior of negligence, breach of implied contract, and unjust enrichment, arguing the company reaped the benefits of collecting customer data without investing in proper security to protect it.
The lawsuits sought class action status on behalf of consumers whose personal information was allegedly exposed through a breach involving Salesforce, a third-party vendor. While the breach stemmed from a Salesforce compromise, plaintiffs argued Dior failed in its duty to protect customer data by storing it without adequate safeguards and relying on a vendor that was ultimately compromised.
The Bigger Picture
In respective filings on December 8, the plaintiffs notified the court that they were voluntarily dismissing their individual lawsuits against Christian Dior Inc. without prejudice, ending those cases against all of the named defendants. With the Dior-related suits now closed, potentially the result of confidential settlement agreements, attention is shifting to whether other companies named in the broader Salesforce data breach litigation will continue to face aggressive legal scrutiny, or whether similar dismissals may signal a broader unraveling of coordinated efforts across the docket.
These cases are part of a growing wave of lawsuits stemming from what has been described as a “hub-and-spoke” breach, in which attackers allegedly exploited vulnerabilities in Salesforce’s software to gain unauthorized access to sensitive customer information stored on behalf of dozens of corporate clients.
To date, nearly 100 lawsuits have been filed in connection with the breach, naming not only Salesforce Inc. but also a wide array of companies that relied on its platforms for customer data management. Among those named are Allianz Life Insurance Company of North America, Dior, and other prominent brands. Plaintiffs across these suits claim the breach was not only foreseeable but preventable, accusing both Salesforce and its clients of failing to implement adequate security protocols or provide proper oversight of highly sensitive personal data.
The Dior cases had been part of a pending motion before the Judicial Panel on Multidistrict Litigation, which is considering whether to consolidate the sprawling litigation for pretrial coordination. The withdrawal of these cases could either dilute the momentum for centralization or narrow the field of defendants, streamlining proceedings around the most viable claims.
The cases are Toikach v. Christian Dior, Inc., 1:25-cv-6058 (S.D.N.Y.); Ansryan v. Christian Dior Inc., 1:25-cv-06705 (S.D.N.Y.); Holland v. Christian Dior, Inc., 1:25-cv-6200 (S.D.N.Y.); and Bhatt et al., v. Christian Dior, Inc. at al., 1:25-cv-2605 (S.D.N.Y.).
Share
