Cyber Incident Victim: Luxottica
Date:
Sep 2020
Location:
Italy
Summary
Luxottica, a global eyewear conglomerate, experienced a ransomware attack disrupting operations worldwide, including website outages for major brands like Ray-Ban and retail portals such as Sunglass Hut and LensCrafters. Internal systems were compromised, forcing office closures in Italy and China and prompting employee dismissals via SMS due to inoperable IT infrastructure. Maintenance messages appeared on corporate portals, while initial claims suggested no consumer data theft and indicated partial restoration efforts were underway. The attack was linked to exploitation of a critical Citrix vulnerability (CVE-2019-19781), commonly leveraged by ransomware actors for network access, though definitive confirmation of data exfiltration remained unverified at the time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 18, 2020, Luxottica—the Italy-based eyewear conglomerate owning Ray-Ban, Oakley, and retail chains including LensCrafters and Sunglass Hut—began experiencing widespread IT disruptions. By the evening of September 20 (Sunday), a ransomware attack compromised systems globally, forcing the shutdown of consumer-facing websites for Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision, which displayed errors or became inaccessible. Internal corporate portals such as one.luxottica.com and university.luxottica.com were replaced with maintenance messages stating, "OneLuxottica is temporarily unavailable." Operations at Luxottica’s offices in Agordo and Sedico, Italy, halted due to "computer system failure," with employees instructed via SMS to leave work premises. Union representatives confirmed to Italian media that "serious IT problems" caused the shutdown, affecting the company’s 80,000 employees and disrupting workflows across manufacturing plants and headquarters.
Luxottica initiated incident response procedures within 24 hours of detecting the attack, collecting forensic evidence and commencing server cleanup. Cybersecurity intelligence firm Bad Packets identified a vulnerable Citrix ADX controller in Luxottica’s infrastructure, exploitable via the critical CVE-2019-19781 flaw frequently leveraged by ransomware groups for network access and credential theft. While security professional Nicola Vanin asserted on LinkedIn that no consumer or user data was exfiltrated, the broader impact included prolonged operational downtime, with global offices remaining partially non-functional days after the incident. The company gradually restored systems in its Milan facilities, though full recovery timelines were unspecified. The ransomware group’s identity and ransom demands were undisclosed, with uncertainty persisting regarding potential data leakage—a common tactic by attackers to pressure victims during negotiations.