Luxottica data breach exposes info of LensCrafters and EyeMed patients

A data breach suffered by Luxottica has exposed the personal and health information of patients of LensCrafters, Target Optical, and EyeMed.

Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry. As a vertically integrated company, Luxottica designs, manufactures, distributes and retails its eyewear brands, including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley. Luxottica also makes sunglasses and prescription frames for designer brands such as Chanel, Prada, Giorgio Armani, Burberry, Versace, Dolce and Gabbana, Miu Miu, and Tory Burch.

The Italian company employs over 80,000 people and generated 9.4 billion in revenue for 2019.

Luxottica was hit by a ransomware attack that took place on September 18.

In October, the Italian website “Difesa e Sicurezza” reported that that the Nefilim ransomware operators have posted a long list of files that appear to belong to Luxottica.

The huge trove of files appears to be related to the personnel office and finance departments.

The analysis of the leaked files revealed that they contain confidential information regarding the recruitment process, professional resumes, and info about the internal structures of the Group’s human resource department.

The exposed financial data includes budgets, marketing forecast analysis, and other sensitive data.

Now the news of another data breach made the headlines, a security breach has exposed the personal and protected health information for patients of LensCrafters, Target Optical, EyeMed, and other eye care practices.

The partners share a web-based appointment scheduling platform that is used by patients to schedule appointments online or over the phone.

Luxottica disclosed a security breach in the appointment scheduling application that took place on August 5, 2020.

According to a “Security Incident” notification issued this week by the company, it first became aware of the hack on August 9 and, after investigating the attack, determined on August 28 that the threat actors gained access to patients’ personal information.

“On August 9, 2020, Luxottica learned of the incident, contained it, and immediately began an investigation to determine the extent of the incident. On August 28, 2020, we preliminarily concluded that the attacker may have accessed and acquired patient information,” the Luxottica data breach notification states.

The notification confirms the exposure of information including personal data (PII) and protected health information (PHI), such as medical conditions and history. For some patients, exposed information included credit card numbers and social security numbers.

“The personal information involved in this incident may have included: full name, contact information, appointment date and time, health insurance policy number, and doctor or appointment notes that may indicate information related to eye care treatment, such as prescriptions, health conditions or procedures,” Luxottica warned.

Luxottica is offering a free two-year identity monitoring service through Kroll to those patients who had their payment information and SSNs exposed.

At the time the company is not aware of fraudulent activities abusing the exposed data, anyway, it is recommending its patients to remain vigilant for any suspicious activities and monitor their credit statements and history.

“We recommend that all potentially impacted individuals take steps to protect themselves, for example by closely monitoring notices from your health insurer and health care providers for unexpected activity.” states the company is a statement published on a website set up after the incident. “If your payment card information and/or Social Security number were involved in this incident, this is explicitly stated in your letter.”

On October 27th, the company began to notify affected users.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]