A database containing the personal information of more than 70 million Luxottica customers has been leaked twice in the past month on the dark web.
The records were stolen during a previously undisclosed data breach in 2021. An individual allegedly attempted to sell the data in November 2022. Recent leaks, the first on April 30 and the second on May 12, made the database available for free.
According to the cybersecurity news site BleepingComputer, Luxottica confirmed that the security breach occurred when a third-party contractor with access to customer data incurred a systems hack.
“We discovered through our proactive monitoring procedures that certain retail customer data, allegedly obtained through a third-party related to Luxottica retail customers, was published in an online post,” Luxottica told the online site.
“We immediately reported the incident to the FBI and the Italian Police. The owner of the website where the data was posted has been arrested by the FBI, the website was shut down and the investigation is ongoing. The Italian data protection authority has also been notified and we are considering other notification obligations.”
Italian cybersecurity firm D3Lab confirmed the authenticity of the stolen database. Andrea Draghetti, a researcher at the firm, determined the data was extracted on March 16, 2021.
This latest revelation is separate from a pair widely-reported cybersecurity incidents at Luxottica in 2020.
In August of that year, the company suffered a ransomware attack which shut down its online operations in Italy and China, and created website issues across its global footprint. A few weeks later, the company reported a patient data breach associated with its scheduling app which included the information of more than 800K individuals.
* 305.759.991 on luxottica_nice.csv
* 74.417.098 unique email address
* 2.590.076 unique domain mail
I don’t think it’s the data from the ransomware attack.
It is probably the data put up for sale on RaidForum, now relase for free! pic.twitter.com/62uQWT4YQB
— Andrea Draghetti (@AndreaDraghetti) May 12, 2023