Luxottica Needs to be Held Accountable For Their Data Mishandling

 

After being fined over $600,000.00 for a HIPAA related data breach, stemming from a August 2020 data breach, Luxottica admitted to a second much more serious Data Breach (that they claim to have learned about in November of 2022, meaning it went undiscovered for at least a year and a half.) This one occurred on about March 16, 2021 according to D3Lab srl security researcher Andrea Draghetti.

Luxottica didn’t actually admit to this latest data breach until May 19, 2023, after the data was leaked online twice, though. First on April 30th, then on May 12th 2023. They delayed acknowledging the breach by at least 6 months.

The customer information accessed and exfiltrated during the data breach included Full names, dates of birth, email address(es), address(es), and genders of some or all of the more than 74M people affected by this newest 300M record data breach. This is serious Personally Identifiable Information. A LOT of it.

Exactly how much overlap between the 829,454 involved in the first data breach and the 74M involved in the second is not currently known, but it is “significant.”

Luxottica has said that they have notified the people that were involved in the second data breach. When? Not in March of 2021 after the breach. Not in November of 2022. Not after the data was leaked on April 30th, or again on May 12th. It’s May 28. The data has been in the hands of the exfiltrators for 2 years 2 months 12+ days, and has been “in the wild” for over 28 days.

Clients who have contacted me, whose data has been verified to have been involved in the breach, have confirmed that they were NOT informed by Luxottica, or any Luxottica reps, that their information was involved in the breach.

74 MILLION RECORDS. Put into perspective:

According to the U.N., 19 countries have a population greater than 74M.

74,000,000 records is approximately 21.8% of the United States population.

Did Luxottica do anything substantive about their security posture in the 7 months between the first data breach and the second? It doesn’t appear so. Apparently, they didn’t encrypt or secure their customer data in any meaningful way, nor did they increase their network awareness. They knew they were vulnerable. They had already suffered a serious data breach.

A lot of damage can be done in 2 years, with 74M unique customer records. That danger is ongoing, many people are still unaware that their data was compromised, because Luxottica has failed to actually notify the victims of the data breach.

It is time for corporations to start being held liable when they are careless with customers’ personally identifiable information, with customers’ private data.

Thanks to BleepingComputer for informing me I was involved in a breach, with your article, and D3Lab srl for discovering and investigating the breach!

Shame on you, Luxottica, for your continuing weak security posture, for failing to protect your customer data, for failing to inform customers when their data was compromised, and for lying about it all.