Luxottica data breach: what it means and how to safeguard yourself from online threats

Luxottica, the world’s largest eyewear company with over 13,000 stores and 700+ million customers  globally, has faced numerous security incidents in recent years—including the Luxottica data breach events of 2020 and 2021. In 2023, millions of customers’ records linked to these breaches surfaced online, sparking widespread concern.

As one of the many large-scale attacks on businesses around the world, the Luxottica data breach reveals the exposure of personal information and the need for better safeguards as the two fast-growing problem areas for organizations and individuals. In this article, we’ll explore the Luxottica breach details and share the steps to protect yourself going forward.

What is Luxottica data breach: understanding the incidents

Luxottica breaches were rather short but affected thousands of customers. The timeline of all three incidents is as follows:

August breach and September ransomware attack

• Date(s) breach occurred: August 5, 2020
• Date(s) breach discovered: August 9, 2020
• Date(s) attack occurred: September 18, 2020

2021 breach

• Date(s) breach occurred: March 16, 2021
• Date(s) stolen information appeared on sale: November 2022
• Date(s) data leaked to free online forums: April 30 and May 12, 2023

What happened in the 2020 Luxottica data breach?

In addition to owning major eyewear brands like Ray-Ban and Oakley, Luxottica operates  EyeMed, a vision benefits company, and partners with multiple eye care providers. These partners have access to Luxottica’s web-based scheduling software where patients book appointments online and by phone.

On August 5, 2020, cybercriminals hacked the scheduling software through EyeMed and LensCrafters’ systems. As a result, the personal and HIPAA-protected health information of more than 829,000 patients was exposed. The breach was discovered on August 9, 2020, and Luxottica took immediate steps to launch an investigation and mitigate the damages. In November 2020, the company sent official notifications to the individuals affected.

Just a month later, in September 2020, Luxottica was hit by a massive ransomware attack. The company’s websites – one.luxottica.com and university.luxottica.com – went offline, displaying “temporarily unavailable” messages. Offices in Italy and China were practically disabled, with employees instructed to stay at home. Later, the company confirmed the ransomware attack.

What types of data were exposed?

• Names
• Contact details
• Financial information
• Social Security numbers
• Protected health information (e.g. health insurance policy numbers, appointment dates, appointment times, appointment notes, etc.)

What were the legal consequences of the 2020 breach?

Luxottica faced litigation after the 2020 data breach. Lawsuits accused the company of failing to implement “reasonable and appropriate” security measures, which resulted in HIPAA violations.

Eventually, Luxottica agreed to a $250,000 settlement to cover claims of the affected clients. Additionally, participants of the class action whose financial, Social Security, and health information was stolen became eligible for reimbursement of their lost time and out-of-pocket losses, as well as for two years of free credit monitoring and a pro rata cash payment.

How did the 2021 Luxottica data breach happen?

The 2021 Luxottica breach happened on March 16, 2021, but was only discovered in November 2022, when a hacker advertised a dataset with the personal information of 77,093,812 users for sale on the dark web. 

The next year, in April and May 2023, the full dataset was made freely accessible on hacker forums. The eventual Luxottica data leak revealed that the breach was more extensive than initially reported.

According to the company, the breach occurred because of a third-party retail vendor incident. This time, Luxottica was slow to take measures or notify its customers about the threat. While Luxottica claimed the leaked data did not include sensitive information, many users strongly disagree as their experiences suggested otherwise. 

What personal data was leaked?

• Names
• Email addresses
• Addresses
• Phone numbers
• DOBs

In its statement to BleepingComputer, Luxottica claimed that no SSN’s, financial details, login data, or passwords were stolen and that nothing was threatening customer safety.

How big was the breach?

The breach targeted Luxottica group as a whole. However, given the number of companies operating under the Luxottica umbrella, multiple entities could have been affected. This includes well-known companies and brands like:

• Ray-Ban
• Oliver Peoples
• Oakley
• Persol
• Sunglass Hut
• Vogue Eyewear
• LensCrafters
• EyeMed Vision Care

Troy Hunt, a web security expert and founder of haveibeenpwned.com, confirmed that 77,093,812 unique accounts were leaked in the breach, totaling at 300M+ records. He also added that 74% of leaked accounts were already in the Have I Been Pwned records, which suggests ongoing data repackaging and misuse.

How did Luxottica respond?

Despite the massive impact of the Luxottica data breach, the company continued claiming no sensitive information was stolen and denied its wrongdoing.

What complicates matters is the fact that Luxottica is a multinational company, which means it operates under different jurisdictions and has to comply with various data sovereignty laws. Specifically, Luxottica is subject to both HIPAA, which protects sensitive health information in the U.S., and GDPR, which protects all personal data of EU residents.

Why these breaches matter beyond Luxottica

The multiple incidents of the Luxottica breach have implications that go far beyond the company itself. Not only did they affect millions of customers but also sparked public concern and underscored broader cybersecurity risks across the healthcare and retail sectors.

More specifically, the Luxottica breach brought several key issues to light:

1. How customer data is shared — often without your knowledge.

Many victims of the breach claim they never knowingly interacted with Luxottica itself. This suggests that their personal information may have been collected through indirect channels such as:

• Optometrists
• Insurance plans like EyeMed 
• Partner retailers like Costco or Sears Optical

Apparently, Luxottica companies were sharing customer data without consent, which led to such a massive number of unique accounts leaked and caused ethical and legal repercussions for companies.

2. Public concerns spread fast via online sources.

The Luxottica data breach resulted in plenty of discussions on social media, where users from the U.S. and beyond (e.g. Canada, South Africa, and Europe) were both confused and outraged about the incidents.

3. Massive breaches like Luxottica emphasize the still opaque nature of personal data collection.

Luxottica breach incidents highlight how even huge corporations can fall short on fundamental cybersecurity measures. They also reflect an evolving threat landscape, with hackers increasingly targeting healthcare data, a surge in ransomware attacks, and stolen information being rapidly monetized and spread across the dark web.

The dark web fallout of the Luxottica breach

While Luxottica claimed no compromise of sensitive personal data (like payment details), customer stories shared on Reddit suggest otherwise. After the data was put up for sale on Breached and then became freely accessible on hacker forums, the risks to the affected customers have increased significantly. Even without passwords or credit card numbers, the combination of name, email, phone, date of birth, and address is enough to cause serious harm. Among the risks are:

• Phishing
• Targeted impersonation scams
• SIM swaps
• Credential stuffing
• Financial fraud

After the Luxottica dark web incident, many victims received notifications from monitoring services confirming the data leak and highlighting the scale of the breach.

As one Reddit user noted: “i am … in the data breach despite the fact that i’ve never bought eyewear online or supplied my information when buying in person..except that i did an eye exam and bought couple of pairs through Costco optical center in 2021. Now i’m worried what type of information Costco possibly shared with third-party without my consent, aside from my personal email address.”

Other real-world stories include a completely drained Venmo account. The victim received a text notification about a new bank account added to their Venmo and reacted within seconds. However, all the money was already withdrawn.

Another Reddit user complained of increased weird calls because their phone number was leaked; yet another unlucky Redditor told a shocking story about receiving a phone call from an impostor sheriff. The caller told them that they had missed Jury duty and could get arrested. The worst part is that someone impersonating a sheriff had all the information about the victim, including their name, address, SSN, and more.

Luxottica data breach what to do

If you were affected by the Luxottica data leak or suspect your data to be compromised, here are the first steps you should take.

Check if you were breached

Firstly, use monitoring services like haveibeenpwned.com to check if your email is found in breached data records.

Additionally, check your email for official notifications from EyeMed, LensCrafters, or other companies affiliated with Luxottica. Typically, brands will notify affected customers about such security incidents. However, stay alert about phishing emails disguised as breach notifications. Criminals may impersonate well-known companies and other institutions to lure out your private data.

Secure your accounts

If you’ve learned that your data leaked, take immediate steps to secure your personal accounts. Start by changing your current passwords for emails, financial accounts, and other apps and accounts that might be targeted by criminals. Use strong passwords that haven’t been used anywhere and consider using a password manager to generate strong passwords automatically and store them securely.

Additionally, enable two-factor authentication (2FA) or multi-factor authentication (MFA) to add another layer of security to your accounts and prevent unauthorized access.

Monitor financial and identity activity

Finally, keep a close eye on your financial and other online accounts to notice any suspicious activity. Check your bank and investment statements to make sure no new accounts are added, new cards issued, credit lines opened, etc. If you notice any activity that you didn’t perform, instantly contact relevant service providers to notify them.

For greater security, consider setting up fraud alerts with all three major credit bureaus – Experian, TransUnion, and Equifax. These alerts will notify potential creditors that there is a data compromise and will encourage them to meticulously check your identity before providing any services.

If applicable, you can also put a security freeze on your credit report with the same credit bureaus. A freeze will not let creditors see your credit report, which means they won’t be able to approve any new credit lines in your name, regardless of whether it’s you or someone else who requests it.

Long-term strategies to protect your personal information

In our digitized world, breaches like Luxottica are not rare and, unfortunately, inevitable. These incidents teach us that no one is immune to cyber-attacks. In fact, even large and reputable institutions have vulnerabilities. And while it’s important to know what to do when your data has been compromised, it’s even more crucial to know how to protect yourself better—it’s about preparedness, not prevention.

Here are some strategies that can help you protect your privacy more proactively.

Remove personal data from public sites

Data brokers are companies that collect your personal information from various mediums, analyze it, and organize it into compelling profiles for sale. These companies expose your personal details to pretty much anyone from marketers to threat actors who may use it for identity theft, phishing, and other nefarious purposes.

Removing your information from these sites is a good strategy for ensuring long-term safety. And while it can be quite time-consuming to do it manually, Onerep can help by automating data removal for hassle-free opt-out of data brokers. The platform scans 210+ broker sites to see where your data is listed and sends requests to remove it. It also continuously monitors the web and removes your new or reappeared information. With Onerep, you can limit your data exposure online and minimize cyber threats.

Control what you share online

Remember that even seemingly harmless pieces of information that can identify you might be used by criminals. Hence, avoid sharing personal data like locations, birthdays, and others on social media and other public sources.

Additionally, clean up your old accounts and outdated services from personally identifying data. And be sure to use proper privacy settings.

Segment and strengthen accounts

Consider using different email addresses for different types of services. For example, you can use one email for all your banking accounts and another one for shopping accounts. This can help you protect your accounts and prevent the massive damage that can be caused by breaches.

Also, avoid logging into services using social media credentials. Although it’s fast and convenient, social login may lead to unintentionally sharing your personal information with third parties and increase the risk of data compromise.

Use privacy-focused tools and extensions

Additional tools and extensions designed for data privacy can make you less vulnerable to cybercriminals by masking your sensitive data. Some tools that you can consider using include:

• Tools and extensions that generate temporary, throwaway email addresses for new online signups to keep your personal email hidden.
• Virtual phone numbers and tools that mask your own number to avoid receiving spam and being targeted by scams.
• VPNs to mask your location and block trackers from monitoring your online activity.
• Anti-virus to keep your devices protected from malware and other threats.
• Safe browsers that come with additional security measures to keep you protected while you are surfing the web.

Secure your devices

Even the most trusted devices and apps have vulnerabilities that can be used by cybercriminals. However, developers take proactive steps in identifying them and providing updates with fixed bugs and strengthened security. That’s why it’s crucial to keep your devices and apps updated to the latest version at all times.

Also, adhere to the basic password hygiene principles suggested by official institutions like America’s Cyber Security Defense Agency. These principles include:

• Using long passwords (16+ characters)
• Using random character combinations
• Setting unique passwords for all accounts

You can find more useful tips on how to protect your online privacy here.

FAQs

What should I do if my information was found in the Luxottica breach?

Immediately secure your accounts by changing old passwords and enabling 2FA or MFA to prevent unauthorized access. Additionally, secure your financial accounts by setting up fraud alerts or putting a security freeze where possible. And don’t forget to track your accounts and reports to detect any suspicious activity.

How do I know if my data is on the dark web?

Check if your personal data has been compromised with haveibeenpwned.com. This platform will let you look up your email in the list of data breach records and see if it was stolen. You can also learn about being affected by a breach from official company notifications sent via email.

How can I remove my personal information from the internet?

Removing your data from the web can be tricky because once it’s there, it might be available on data brokers and people-search sites. According to the law, these sites are obliged to remove your data from their listings if you file an official request. However, doing this manually is a lot of work–you need to visit every site one by one, check if your information is listed there, find your account URLs, and submit separate requests. Luckily, you can do it faster and more easily with data-removing services like Onerep.

Protect yourself from future breaches

Cases like the Luxottica data breach teach us that no one is fully protected from breaches and leaks. Although attacks are inevitable, there are ways to protect your privacy better.

In order to stay safe on the web, it’s important to remember that privacy protection is an ongoing process. It’s about preparing now—not just for the current breach, but for any subsequent one.

So don’t wait and take proactive steps to secure your personal information.