Cyber Incident Victim: Luxottica

In September 2020, eyewear conglomerate Luxottica—parent company of EyeMed, LensCrafters, and Pearle Vision—experienced a significant ransomware attack that disrupted operations in China and Italy. The company initially asserted no evidence existed that attackers accessed or stole user or consumer data. This claim was directly contested by the threat actors involved. By October, Nefilim ransomware operators listed Luxottica on their dedicated leak site and began publicly releasing data stolen during the attack. Concurrently, Luxottica disclosed a separate security incident discovered on August 9, 2020, which they described as distinct from the ransomware event. This earlier breach compromised patient and consumer information through unauthorized access to an appointment scheduling program and system.

Luxottica initiated breach notifications to affected individuals on October 27, 2020, though they did not characterize the August incident as ransomware or attribute it to Nefilim. Independent sources estimated up to 800,000 individuals were impacted by the scheduling system breach. On November 12, 2020, Luxottica formally reported the incident to the U.S. Department of Health and Human Services as a business associate breach affecting 829,454 patients. The company did not respond to repeated inquiries from media outlets regarding either breach throughout October and November. The operational disruptions from the September ransomware attack and the confirmed large-scale data exposure from both incidents underscored systemic security challenges across Luxottica’s global infrastructure.