Luxottica admits to 2021 data breach that exposed personal information of 70 million customers

Italian eyewear company Luxottica, the world’s largest company in the eyewear industry, confirmed the 2021 data breach that exposed the personal information of 70 million customers.

On 12 May, cybersecurity expert Andrea Draghetti speculated Luxottica suffered a data breach when he noticed that a threat actor had released a 140GB database with more than 300 million records which include 305.759.991 records (luxottica_nice.csv), with 74.417.098 unique email addresses and 2.590.076 unique domain emails.

Researchers observed that the most recent entry in the database was from 16 March 2021, suggesting it was a new data breach suffered by the company.

Following a report by BleepingComputer, Luxottica confirmed this data breach and attributed it to a security incident suffered by a third-party contractor who was managing the company’s customer data. This exposed data included names, email IDs, phone numbers, addresses and dates of birth of customers. It is reported that investigations are still on into the security breach.

Luxottica has been facing several data breaches in the last few years. On 18 September 2020, Luxottica suffered a ransomware attack. The same year in October, the Italian website ‘Difesa e Sicurezza’ reported that the Nefilim ransomware gang had posted a list of files belonging to Luxottica containing confidential information from the personnel office and finance departments. Again in November 2020, the personal sensitive information of patients belonging to Luxottica, LensCrafters, Target Optical, EyeMed, and other eye care companies was exposed due to a security breach in the shared web-based appointment scheduling platform. Further, in November 2022, a database containing 300 million records of personal information of US and Canada-based customers of Luxottica was available for sale on the hacking forum BreachForums.