Posted on May 19, 2023 at 5:39 PM
Luxottica says data belonging to 70M customers was exposed after the database was leaked
Luxottica has said that one of its partners was affected by a data breach in 2021. The data breach exposed personal data belonging to 70 million customers after a database was released on hacking forums.
Luxottica confirms a 2021 data breach
Luxottica is the largest eyewear company globally. It deals in glasses and prescription frames. It is also behind top brands such as Dolce and Gabbana, Versace, Michael Kors, Prada, Chanel, Oakley, and others.
In November last year, one of the members of the now-defunct group known as “Breached” tried to sell data that reportedly contained 300 million records of personal data related to the customers of Luxottica in Canada and the United States. At the time, the seller said that the database contained customers’ personal details like email addresses, names, physical addresses, and dates of birth.
The data was advertised for a private sale in Breach. However, at the time, it was still unclear whether the data was stolen through a new attack or through two attacks that hit the company in 2020.
Luxottica was hacked in August 2020, resulting in the exposure of personal data belonging to 829,454 patients at EyeMed and Lenscrafters. After one month, the company suffered yet another attack. The second one was a ransomware attack that led to the company shutting down its operations in China and Italy.
However, the database was recently leaked for free. The leak happened between April 30 and May 12, with the data being published on multiple hacking forums. The leaked data has now become more available to hackers.
The top researcher of the D3Lab cybersecurity company based in Italy, Andrea Draghetti, analyzed the leaked data which has 305 million lines, 2.6 million unique domain email addresses, and 74.4 million unique email addresses.
Draghetti also said that the exfiltration data for the data was March 16, 2021, going by the recent database records. These records show that the data likely came from a data breach that was not previously disclosed.
Leaked data came from a new breach
Luxottica has said that the released data came from a security breach that affected a third-party contractor with access to customer data. The firm has also said that it is still conducting investigations into the breach.
“From our investigation, which is still going on, we know so far that the data primarily consists of customer contact details, including names, addresses, phone numbers, emails, and dates of birth. The data does not include individuals’ financial information, social security numbers, login or password data, or other information that would compromise the safety of our customers,” the company said.
A spokesperson from the company said that they learned of the breach through a third-party post that was published on the dark web in November 2022. The leaked data includes over 77 million unique accounts, and out of this number, 74% already exist in the platform’s records.