Breach Notification , Fraud Management & Cybercrime , Incident & Breach Response
Eye Care Center Operator's Customer Data HackedWas Luxottica's Data Breach Linked to Ransomware Attack?
A U.S. unit of Italian-based eyewear maker and eye care center conglomerate Luxottica has reported a hacking incident affecting over 829,000 individuals – the fourth largest health data breach added to the U.S. federal tally so far this year.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Luxottica says the breach stemmed from the hacking of a web-based scheduling application in August. The company also reportedly was hit by a September ransomware attack, but it’s not clear if the two incidents are related.
Luxottica designs, manufacturers and distributes popular eyewear brands, including Ray-Ban and Oakley. It owns several large eye care center networks, including Pearle Vision and Lenscrafters in the U.S.
The Department of Health and Human Services’ HIPAA Breach Reporting Tool website shows Luxottica America Inc., based in Mason, Ohio, reported the incident Oct. 27.
In its breach notification statement, the company says it learned on Aug. 5 that “an unauthorized person” accessed the Luxottica-managed web application used for appointment scheduling.
Luxottica says it contained the incident and immediately began an investigation. “On Aug. 28, we preliminarily concluded that the attacker may have accessed and acquired patient information,” the notification says.
Information exposed may have included customers’ names, contact information, appointment date and time, health insurance policy number, and doctor or appointment notes that may indicate information related to eye care treatment.
“Luxottica is not aware of any misuse of personal information or harm to patients as a result of this incident,” the notification says. “If you discover any suspicious activity on your accounts or if you suspect identity theft or fraud, report it immediately to your health plan or insurer.”
Luxottica says it’s taken measures to enhance its security controls, including implementing additional access restrictions for its patient scheduling platform.
The Oct. 27 breach notification came in the wake of an apparent ransomware attack on the company in September that shut down production at some Luxottica facilities in Italy and China, according to several news organizations.
On Sept. 21, Italian media site ANSA reported that several of Luxottica's production and logistics plants were shut down due to an unspecified "computer system failure."
Bleeping Computer reported that a Luxottica employee said a ransomware attack affected the company worldwide.
On Oct. 20, news site Security Affairs reported that Nefilim ransomware operators had posted “a long list of files that appear to belong to Italian eyewear and eyecare giant Luxottica.”
Luxottica did not immediately respond to Information Security Media Group’s requests for comment.
But some security experts say it’s possible the two security incidents are related.
“We may never know if they are directly related, but the scenario here is not uncommon. Once you’ve been hacked and access to your network has been obtained, there is value in that information. And we know it is sold through marketplaces on the dark web,” says former healthcare CIO David Finn, executive vice president at privacy and security consultancy CynergisTek.
While it appears Luxottica experienced two separate incidents, “they could certainly be related,” notes threat analyst Brett Callow of security firm Emisoft.
“It’s not at all uncommon for ransomware groups to collaborate with other threat actors - so-called ‘initial access brokers' - in order to obtain access to pre-compromised networks,” he says. “So, it’s certainly possible that the actor responsible for the initial compromise/breach further monetized the hack by selling access to Luxottica’s network to Nefilim, the ransomware group."
Because of the development of cooperative criminal partnerships and a marketplace for compromised networks, organizations must quickly and fully remediate security incidents, he stresses.
“If they do not, the initial attack could well lead to others,” he says. “This is especially true when it comes to malware such as Emotet, QakBot and BazarLoader which are commonly used as a launchpad for ransomware attacks.”