Luxottica has confirmed that one of its partners suffered a data breach in 2021 that exposed the personal information of 70 million customers after a database was released for free this month on hacking forums.

Luxottica is the world’s largest manufacturer of prescription eyewear, eyewear and frames, and owner of popular brands such as Ray-Ban, Oakley, Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, Michael Kors and many others. The company also operates Eyemed, a vision insurance company in the United States.

In November 2022, a member of the now defunct ‘Breached’ hacker forum tried to sell what he claimed was a 2021 database containing 300 million records of personal information relating to Luxottica customers. in the United States and Canada.

According to the seller, the database contained personal information about customers, such as email addresses, first and last names, addresses and date of birth.

The dump was offered for private sale at the time on Breached, so it was unclear whether the data was stolen in a new attack or in two attacks the company was hit by in 2020 .

Luxottica suffered a data breach in August 2020 which revealed the personal information of 829,454 EyeMed and Lenscrafters patients. The following month, Luxottica again suffered an attack, this time a ransomware attack which ended the company’s activities in Italy and China.

However, more recently, the database was leaked in its entirety for free on April 30 and May 12, 2023, on various hacking forums, making the data much more accessible to threat actors.

Andrea Draghettilead researcher at Italian cybersecurity firm D3Lab, analyzed the leaked data and confirmed to BleepingComputer that it contained 305 million rows, 74.4 million unique email addresses and 2.6 million email addresses. unique domain e-mail addresses.

Draghetti also determined that the exfiltration date was March 16, 2021, based on the most recent database records, meaning the data likely came from a previously undisclosed data breach.

Luxottica confirms a new breach

After BleepingComputer contacted Luxottica about the released data, the company confirmed that the leaked data originated from a security incident that affected a third-party contractor holding customer data.

The firm added that its investigation into the incident is still ongoing. However, it has already determined that the exposed data contains customers’ full names, emails, phone numbers, addresses and dates of birth.

“We have discovered, through our proactive monitoring procedures, that certain retail client data, allegedly obtained through a third party linked to Luxottica’s retail clients, has been published in an online publication.

We immediately reported the incident to the FBI and the Italian police. The owner of the website on which the data was posted has been arrested by the FBI, the website has been shut down and the investigation is ongoing. The Italian Data Protection Authority has also been informed and we are considering further notification obligations.

From our investigation, which is still ongoing, we know so far that the data consists primarily of customer contact details, including names, addresses, phone numbers, emails and dates of birth. . The data does not include individuals’ financial information, social security numbers, login or password data, or other information that would compromise the security of our customers.

EssilorLuxottica remains confident that its systems have not been hacked and that its network remains secure. -Luxottica

When asked when they first realized the breach, a Luxottica spokesperson replied, “We first learned of the incident through a third-party dark web post in November 2022.”

Trojan Huntowner of theHave I been pwned(HIBP) data breach notification service, told BleepingComputer that the leaked data includes 77,093,812 unique accounts, 74% of which are already on file with the platform.

Hunt told us that HIBP will send more than 320,000 breach notices to platform subscribers today regarding the 2021 Luxottica data breach.

To check if your information has been exposed in this breach, you can visit the HIBP site and search for your email address on the main page, and the site will list all data breaches your email address has been exposed to.