2021 data breach exposed data of 70 Million Luxottica customers

Luxottica has finally confirmed the 2021 data breach that exposed the personal information of 70 million customers.

Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry. As a vertically integrated company, Luxottica designs, manufactures, distributes and retails its eyewear brands, including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley. Luxottica also makes sunglasses and prescription frames for designer brands such as Chanel, Prada, Giorgio Armani, Burberry, Versace, Dolce and Gabbana, Miu Miu, and Tory Burch.

On May 12, the cybersecurity expert Andrea Draghetti noticed that a threat actor released data belonging to Luxottica speculating a new databreach.

The threat actor released a 140GB database containing more than 300 million records. The researchers reported that the archive was containing 305.759.991 records (luxottica_nice.csv), with 74.417.098 unique email addresses and 2.590.076 unique domain emails.

The most recent entry in the database is March 16th, 2021, a circumstance that suggests it is a new data breach suffered by Luxottica.

BleepingComputer first reported the news, and Luxottica confirmed that the data breach is the result of a new security incident suffered by a third-party contractor that was managing its customer data.

Exposed data includes customer names, emails, phone numbers, addresses, and dates of birth.

The investigation into the security breach is still ongoing.

“We discovered through our proactive monitoring procedures that certain retail customer data, allegedly obtained through a third-party related to Luxottica retail customers, was published in an online post.

We immediately reported the incident to the FBI and the Italian Police. The owner of the website where the data was posted has been arrested by the FBI, the website was shut down and the investigation is ongoing. The Italian data protection authority has also been notified and we are considering other notification obligations.

From our investigation, which is still going on, we know so far that the data primarily consists of customer contact details including names, addresses, phone numbers, emails and dates of birth. The data does not include individuals’ financial information, social security numbers, login or password data or other information that would compromise the safety of our customers. 

EssilorLuxottica remains confident that its systems were not breached and its network remains secure.” reads the statement shared by Luxottica

This is the last incident in order of time suffered by the company.

On September 18, 2020, Luxottica was hit by a ransomware attack that took place on September 18.

In October, the Italian website “Difesa e Sicurezza” reported that the Nefilim ransomware operators have posted a long list of files that appear to belong to Luxottica. The huge trove of files appears to be related to the personnel office and finance departments.

The analysis of the leaked files revealed that they contain confidential information regarding the recruitment process, professional resumes, and info about the internal structures of the Group’s human resource department.

The exposed financial data included budgets, marketing forecast analysis, and other sensitive data.

In November 2020, the news of the data breach made the headlines, a security breach exposed the personal and protected health information of patients of LensCrafters, Target Optical, EyeMed, and other eye care practices.

The partners share a web-based appointment scheduling platform that is used by patients to schedule appointments online or over the phone.

Luxottica disclosed a security breach in the appointment scheduling application that took place on August 5, 2020.

According to a “Security Incident” notification issued by the company, it first became aware of the hack on August 9, 2020 and, after investigating the attack, determined on August 28 that the threat actors gained access to patients’ personal information.

“On August 9, 2020, Luxottica learned of the incident, contained it, and immediately began an investigation to determine the extent of the incident. On August 28, 2020, we preliminarily concluded that the attacker may have accessed and acquired patient information,” the Luxottica data breach notification states.

The notification confirms the exposure of information, including personal data (PII) and protected health information (PHI), such as medical conditions and history. For some patients, exposed information included credit card numbers and social security numbers.

In November 2022, a database containing 300 million records of personal information of Luxottica customers in the United States and Canada was offered for sale on the hacking forum BreachForums.

Exposed customer data included names, email addresses, addresses, and date of birth.

We are in the final

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)