Luxottica Data Breach: What Happened, Who Was Affected, and Steps to Protect Yourself

June 20, 2024
·
5 min
deleteme

Protect yourself from future breaches

The 2021 Luxottica eyewear conglomerate’s data breach came as a real shock to the 77,093,812 users whose personal data was exposed. 

But cybersecurity experts weren’t too surprised–they know online attacks are now a part of daily life. 

According to a UK government survey, hackers attacked 50% of businesses and 32% of charities during 2023. Almost three-quarters (74%) of larger businesses were attacked, usually through simple phishing scams, but also through impersonating other organizations and launching viruses and other malware. 

As the owner of the world’s leading eyeglasses manufacturers, stores, and insurance companies, Luxottica should have been better prepared. 

In this article, we’re going to analyze what went wrong in the Luxottica data breach and what consumers and other organizations can learn.

What happened in the Luxottica data breach?

While the Luxottica data breach was perpetrated in 2021, we’re just now discovering the actual extent of the information leaked due to the data in April of 2023. 

Let’s shed some new light on this shady situation.

“Sin”’s post on Breached, advertising the sale of Luxottica customers’ data (@AndreaDraghetti)

In 2022, a hacker going by the name “sin” on the dark website Breached began advertising the information of 77,093,812 users exposed by the breach for private sale. The next year, the full database was leaked for free using online forums, renewing concerns that the data breach was more comprehensive than originally thought.

According to the company itself, the leak stemmed from a blurry third-party retail vendor incident, which only stored personal information as opposed to more sensitive material.‍ 

Luxottica has been slow to update its clients about the case. Sure, they reported it to the Italian Police and the FBI, who shut the Breached website down. However, the company’s stock price at the time showed no signs of any meaningful drop, and there has been no effort to compensate its customers for the breach.

Extent and impact of the Luxottica Data Breach

Luxottica Vision is the world's largest provider of eyewear, owning brands like Burberry, Oakley, Dolce and Gabbana, Chanel, and Ray-Ban, as well as a vision insurance company.

Although the common claim that Luxottica controls 80% of the eyewear market is dubious, it at least gives you an idea of the size of its clientele.

Over 300 million records from 77,093,812 different users were involved in the leak—an enormous number by any standard. Because of the combination of medical, financial, and personal information included in their databases, Luxottica's data breach could have been even more damaging for those involved. 

If you've donned a pair from local boutiques, mega-retailers, or clicked to buy online, it's time to “focus” and reach out to ascertain the safety of your data. Additionally, if EyeMed Insurance is your go-to, or if LensCrafters is where you get your vision checked, you might be in the affected spectrum as a potential victim.

What personal data was leaked and exposed in the Luxottica breach?

While the extent of the damage is still being determined in some cases, Luxottica did confirm that the data leaked includes:

  • First and last names
  • Email addresses
  • Phone numbers
  • Date of birth
  • Physical addresses

In a statement to cyber security news site BleepingComputer, Luxottica claimed: 

“The data does not include individuals’ financial information, social security numbers, login or password data, or other information that would compromise the safety of our customers.”

‍What companies were impacted by the Luxottica data breach? 

This breach was targeted at Luxottica itself—not more specifically at one of its subsidiaries. That means that any of the companies under the Luxottica umbrella could have been impacted: 

  • Ray-Ban
  • Oakley
  • Oliver Peoples
  • Persol
  • Vogue Eyewear
  • LensCrafters
  • Sunglass Hut
  • EyeMed Vision Care

Brands under license:

  • Chanel 
  • Burberry
  • Giorgio Armani
  • Versace
  • Prada
  • Michael Kors

What to do if you were impacted by the Luxottica data breach

Anyone who has been notified that their data was included in the Luxottica data breach should immediately:

1. Check if you were exposed to the Luxottica breach 

The reach of Luxottica is vast, so even if you haven’t heard of the company, it doesn’t mean you’re safe.

  • Look in your inbox for any communication from Luxottica or its affiliated brands like Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, Michael Kors, and Eyemed. 
  • Use a breach notification website like Cloaked’s Have I Been Breached. The page checks if your email address or other personal information was compromised by the Luxottica data breach or one of many other incidents.

2. Change and protect your passwords 

The Luxottica data breach proves that no company is too big to be hacked. Therefore, you can’t rely on any site to keep your password 100% safe. Changing to a strong password with a mix of uppercase, lowercase, numbers, and special characters is your first port of call. 

You need to have a different password for every app, too. If bad actors get hold of your username and password from a leak like Luxottica, they may try to use them to access different sites. 

Sure, it’s not easy to remember a list of different passwords, so an increasing number of security-focused people are turning to solid password managers. Google Password Manager is often the first that comes to mind since it’s easy to use and built right into Chrome. 

However, as the world’s top browser, it’s a seductive target for hackers. On top of that, Google Password Manager has limited biometric and 2FA authentication and lacks the “zero knowledge” ethos of password management, leaving your user information vulnerable. 

Fortunately, advanced password managers like Cloaked will generate new, complex passwords with a few clicks and protect you with encrypted password-protected links and one-time passcodes. 

Cloaked’s password manager in action, concealing your ID online

For greater security, you can enable two-factor authentication to enter the Cloaked app, blocking hackers even if they uncover your password. 

3. Monitor your information

Monitoring your information is one of the best habits to begin if you’re serious about safeguarding your personal information. For example, having credit monitoring services in your toolbox alerts you about any anomalies in your spending and account behavior. If password management is a proactive initiative, credit monitoring allows you to stamp out any breaches after the fact.

Leading cyber security apps now offer identity theft protection, with features like identity insurance, profile restoration, and credit records balancing. This is an excellent solution in a world where hackers are always one step ahead of the resistance of companies like Luxottica.

Cloaked has recently launched a product to scan and actively remove your information from the web. The risk assessment scan will determine your level of risk, before deleting any occurrences in 120+ data brokers and websites. This helps to make you less vulnerable to fraud, scams, and phishing attempts. 

4. Look into a Luxottica Data Breach Lawsuit 

It may not surprise you that this isn’t the first breach at Luxottica. Back in June 2020, 2.1 million patients of EyeMed Vision Care, Luxottica’s vision insurance company, suffered a breach that included personal contact information, social security numbers, medical diagnoses and conditions, and treatment information. The hacker then used an EyeMed Vision Care account to send out phishing emails, which caused even more damage. 

A case brought by state attorneys general from Oregon, New Jersey, Florida, and Pennsylvania found that EyeMed had failed to uphold HIPAA (Health Insurance Portability and Accountability Act) and state laws. Multiple EyeMed employees were guilty of a range of poor security measures, such as sharing a single password for a sensitive email account, only partial two-factor authentication, and risk assessment failures. 

Fast-forward to the 2021 Luxottica data breach case and it seems a data breach lawsuit may be more difficult. As a non-US company, US laws do not apply. However, keep an eye on news relating to the case to identify whether you’re eligible for compensation.

5. Reduce your digital shadow and footprint 

As more people become aware of the need for online identity protection, they’re looking to technology like Cloaked for comprehensive solutions to keep them safe. 

Cloaked allows you to: 

  • Use anonymous email addresses to create disposable email addresses to register for things like glasses purchases online. The online company only sees your “Cloak”, rather than your email address, and Cloaked will store any spam messages you receive.
  • Mask your phone numbers by generating temporary numbers to use in place of your real number, safeguarding your privacy when signing up for online services.
  • Leverage privacy browser extensions to block trackers and ads that follow you online, keeping you anonymous and reducing the data that companies collect on you.
  • Generate virtual credit cards, both single-use and limited-use, to protect your financial information during online transactions.
  • Assume a secret identity including names, working emails, phone numbers, and passwords in seconds to protect your identity online. 
  • Share your encrypted identities with select recipients, and even put a time limit on their access to avoid handing over real-life data. 
  • Create and store one-time passcodes for any of your identities that autofill across mobile, dashboard, and extensions.
  • Store additional information with Cloaked identities, such as bank account information, addresses, API keys, and more. Decide who to share them with and for how long. 

Learn more about Cloaked

6. Keep an "eye" on Luxottica's updates

It’s fair to say Luxottica has been rather cagey about the information they have released regarding the data breach. Not offering specifics on where or how the breach happened doesn’t exactly inspire confidence. 

Similarly, the company doesn’t inspire confidence when it claims to have identified the breach through “proactive monitoring procedures” when it is generally accepted to have been discovered when the data was put up for sale.

Learn more about the Luxottica data breach

For more information closely related to the most recent Luxottica data breach, take a look at these questions. 

Did Luxottica have a data breach recently?

Yes, Luxottica experienced a significant data breach in 2021. Exposed on various hacking forums in 2023, the breach included the names, email addresses, physical addresses, phone numbers, and dates of birth of over 77 million customers. 

A previous breach occurred in 2020, compromising more serious data such as social security numbers, medical diagnoses and conditions, and treatment information of 829,454 customers from EyeMed, a subsidiary of Luxottica.

What is the controversy with Luxottica?

The controversy surrounding Luxottica revolves around its multiple data breaches and its dominant position in the eyewear market. The company's data breaches exposed the sensitive information of millions of customers, raising concerns about its cybersecurity practices and data protection measures. 

Additionally, Luxottica's market dominance controversies lie in allegedly inflating prices by 1,000% and using its position to run a hostile takeover of Oakley. 

What major eyewear vendor has had a data breach?

Luxottica, the world's largest eyewear company, has had significant data breaches. The breaches in 2020 and 2021 exposed the personal information of millions of customers, making them among the most notable data breaches in the eyewear industry.

Which company had the biggest data breach? 

The 2013 Yahoo database infiltration wound up affecting more than three billion Yahoo accounts worldwide. Unlike Luxottica’s breach, it continued for over three years, leading to Yahoo paying out $35 million and finding itself in other class-action lawsuits. 

Protect yourself from future data breaches

Minimizing the amount of information available about you online doesn't have to be difficult. With Cloaked, you can “clear” your vision. Cloaked allows you to create unique identities for every new account and connection, putting you in control of access to your data. 

Click here to get started with Cloaked and protect yourself from cyber threats.

Protect yourself from future breaches

View all
Data Breaches
November 22, 2024

Hot Topic Data Breach Exposes 57 Million Accounts: What You Need to Know

Hot Topic Data Breach Exposes 57 Million Accounts: What You Need to Know

by
Arjun Bhatnagar
Data Breaches
November 22, 2024

Hot Topic Data Breach Exposes 57 Million Accounts: What You Need to Know

Hot Topic Data Breach Exposes 57 Million Accounts: What You Need to Know

by
Arjun Bhatnagar
Data Breaches
November 8, 2024

Navigating the LA Housing Authority Ransomware Breach: What You Need to Know

Navigating the LA Housing Authority Ransomware Breach: What You Need to Know

by
Abhijay Bhatnagar
Data Breaches
November 8, 2024

Navigating the LA Housing Authority Ransomware Breach: What You Need to Know

Navigating the LA Housing Authority Ransomware Breach: What You Need to Know

by
Abhijay Bhatnagar
Data Breaches
November 7, 2024

Schneider Electric Data Breach: What You Need to Know

Schneider Electric Data Breach: What You Need to Know

by
Pulkit Gupta
Data Breaches
November 7, 2024

Schneider Electric Data Breach: What You Need to Know

Schneider Electric Data Breach: What You Need to Know

by
Pulkit Gupta