Salesforce Denies Blame in Privacy Suit Against It, TransUnion, Louis Vuitton and Qantas
Salesforce, TransUnion, Louis Vuitton and Qantas Airlines failed to protect the personally identifiable information (PII) of customers in a hub-and-spoke data breach this year, according to a class-action lawsuit filed against the companies earlier this month in U.S. District Court in San Francisco. Yet Salesforce told us Tuesday its network was not violated in the breaches.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The credit bureau, fashion house and Australian airline company are “Salesforce customers that used its services and software, and in doing so, entrusted Salesforce with the PII of their customers and employees.” Salesforce and its three client companies suffered data breaches in 2025.
“The ‘hub’ in this breach is Salesforce,” which “stores an enormous amount of its customers’ PII,” the complaint said. “Each of the cyber incursions … occurred because Salesforce’s Data Loader portal, used by spoke Defendants to import or export Salesforce data, is easily mimicked by bad actors,” even though the company “touts that it ‘follow[s] the Shared Responsibility Model and believe[s] security is a shared responsibility between Salesforce and its customers.’”
Salesforce told Privacy Daily its "platform has not been compromised, and this issue is not due to any known vulnerability in our technology." A company official referred us to a statement from Salesforce about the rise of social engineering attacks, as well as a Google Threat Intelligence blog post from June with analysis saying "attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce."
In June, Google’s Salesforce database was hacked, and the company’s Threat Intelligence Group confirmed there was unauthorized access to customers' contact information (see 2508070049).
In August, TransUnion reported a breach that may have exposed the personal information of more than 4.4 million customers (see 2508280024), which was the subject of a September lawsuit (see 2509240065).
Louis Vuitton’s June data breach was originally thought to have been limited to customers overseas but was updated to include that some U.S. customers may have been affected too (see 2508280017).
Qantas airlines suffered a breach in early July, impacting the personal information of 5.7 million customers (see 2507090041).
The suit argued that the “data breaches at issue were highly preventable and perpetrated using techniques and vulnerabilities known to Defendants well in advance.”
In March, Salesforce published a blog called “Protect Your Salesforce Environment from Social Engineering Threats,” indicating that it was “fully aware of the threats [to] and vulnerabilities” of its systems.
However, the lawsuit said Salesforce “did nothing to fortify its networks to prevent these attacks.”
The plaintiffs charged they “have suffered numerous injuries, including invasion of privacy, lost time and expenses mitigating the risk of data misuse, diminishment in value of their PII, lost time monitoring and repairing credit, and failing to receive the benefit of the bargain reached with Defendants.”
TransUnion, Louis Vuitton and Qantas Airlines didn't comment Tuesday on the lawsuit.