Luxottica has confirmed one of its partners suffered a data breach in 2021 that exposed the personal information of 70 million customers after a database was posted this month for free on hacking forums.
Luxottica is the world’s largest eyewear company, glasses, and prescription frames maker, and the owner of popular brands like Ray-Ban, Oakley, Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, Michael Kors, and many other. The company also operates Eyemed, a vision insurance company in the US.
In November 2022, a member of the now-defunct “Breached” hacker forum attempted to sell what he claimed to be a 2021 database containing 300 million records of personal information related to Luxottica customers in the United States and Canada.
According to the seller, the database contained customers’ personal information, such as email addresses, first and last names, addresses, and date of birth.
The dump was offered for a private sale at the time on Breached, so it was not clear if the data was stolen in a new attack or during two attacks the company was impacted by in 2020.
Luxottica suffered a data breach in August 2020 that exposed the personal information of 829,454 EyeMed and Lenscrafters patients. The following month, Luxottica once again suffered an attack, this time a ransomware attack that shut down the company’s operations in Italy and China.
However, more recently, the database was leaked in its entirety for free on April 30th and May 12th, 2023, on different hacking forums, making the data far more accessible to threat actors.
Andrea Draghetti, the leading researcher of the Italian cybersecurity firm D3Lab, analyzed the leaked data and confirmed to BleepingComputer that it contains 305 million lines, 74.4 million unique email addresses, and 2.6 million unique domain email addresses.
Draghetti also determined the exfiltration date to be March 16th, 2021, based on the most recent database records, which meant that the data likely originated from a previously undisclosed data breach.
Luxottica confirms new breach
After BleepingComputer contacted Luxottica about the published data, the firm confirmed that the leaked data came from a security incident that impacted a third-party contractor holding customer data.
The firm added that its investigation of the incident is still underway. However, it has already determined that the exposed data contains full customer names, emails, phone numbers, addresses, and dates of birth.
“We discovered through our proactive monitoring procedures that certain retail customer data, allegedly obtained through a third-party related to Luxottica retail customers, was published in an online post.
We immediately reported the incident to the FBI and the Italian Police. The owner of the website where the data was posted has been arrested by the FBI, the website was shut down and the investigation is ongoing. The Italian data protection authority has also been notified and we are considering other notification obligations.
From our investigation, which is still going on, we know so far that the data primarily consists of customer contact details including names, addresses, phone numbers, emails and dates of birth. The data does not include individuals’ financial information, social security numbers, login or password data or other information that would compromise the safety of our customers.
EssilorLuxottica remains confident that its systems were not breached and its network remains secure.” – Luxottica
When asked when they first realized the breach, a Luxottica spokesperson answered: “We first learned of the incident from a third-party post on the dark web in November 2022.”
Troy Hunt, the owner of the “Have I Been Pwned” (HIBP) data breach notification service, told BleepingComputer that the leaked data includes 77,093,812 unique accounts, 74% of which are already in the platform’s records.
Hunt told us that HIBP will send out over 320,000 notices of a breach to subscribers of the platform today concerning the 2021 Luxottica data breach.
To check if your information was exposed in this breach, you can visit the HIBP site and search for your email address on the main page, and the site will list all data breaches that your email address was exposed.
Source: www.bleepingcomputer.com