UPDATE: Luxottica Data Leaked by Hackers After Ransomware Attack
Luxottica recently faced a ransomware attack and another hack on its appointment scheduling app. But the subsequent notice did not disclose the initial incident, nor that hackers leaked sensitive data.
By Luxottica of America recently reported a patient data breach, which impacted 829,454 patients. But prior to the security incident, the company faced a ransomware attack, and the Nefilim ransomware threat actors have since leaked data allegedly stolen from the vendor on the dark web in a number of installments.
Based in Italy, Luxottica is a global eyewear conglomerate that designs, manufactures, distributes, and retails eyewear brands, like LensCrafters, Sunglass Hut, and Pearle Vision, along with the EyeMed vision care plan.
The vendor reportedly fell victim to a ransomware attack in August, leading to the shutdown of operations in Italy and China and website disruptions for some popular Luxottica brands, such as EyeMed and Ray-Ban.
The company’s patient portals were also disrupted by the attack, with the system disruptions lasting for more than a month across the Luxottica network.
However, this ransomware attack was not the cause of the HIPAA breach disclosure to the Department of Health and Human Services.
The patient data breach stemmed from an August 5 hack of its web-based appointment scheduling application managed by Luxottica and used by eyecare providers to assist patients with appointment scheduling.
Luxottica did not detect the hacking incident until four days later, when it was contained. Officials said they launched an investigation with help from an outside cybersecurity firm, which found the hackers possibly accessed and acquired patient data during the application hack.
The breached patient information involved contact details, health insurance policy numbers, and appointment notes related to treatment, such as health conditions, procedures, and prescriptions, as well as other sensitive data, including the credit card information and Social Security information of some patients.
The notice also explained the attacker may have accessed and acquired third-party information from the appointment app.
A Luxottica spokesperson confirmed to HealthITSecurity.com: "We have no evidence that indicates misuse of our patients’ information as a result of the scheduling app incident. We have followed all laws and notification requirements in this incident and continue to manage the situation with full transparency."
Further, the hacking group behind the initial ransomware attack leaked company information online. Screenshots shared with HealthITSecurity.com show the first installment of the exfiltrated data was posted on October 18 and contains financial information and human resource documents.
The hackers have continued to leak information from the company, with the last installment published on November 7. The data posting shows banking information and other sensitive data.
The threat actors also warned that in the disclosure of the ransomware attack, officials did not explain the hackers sent the company proofs of the data they had stolen from Luxottica during the incident.
But again, according to the company spokesperson, the company "has no evidence that the data leak highlighted... had any impact in the U.S."
As Coveware data shows data exfiltration and extortion attempts occur in half of ransomware attacks, there are several avenues in which the hackers may have gained access to Luxottica’s information.
“Ransomware groups frequently buy access to compromised networks from the hackers that compromised them. In fact, they actively seek to recruit those hackers as affiliates,” Brett Callow, a threat analyst for Emsisoft explained.
“Consequently, it’s not at all surprising that a compromise would result in more than one type of security incident. Whether Luxottica’s incidents were related is impossible to say, but it’s certainly a distinct possibility,” he added. “Loosely related, we anticipate that ransomware groups will start to put exfiltrated data to more use - namely, by using it to overtly attack victim organizations’ customers and business partners.”
To Callow, these hacking groups are primarily motivated by increasing the pressure on future victims to pay the ransom, rather than to just directly monetize data exfiltrated by recent attacks. By continuing to publish data stolen from victims, hackers are attempting to scare possible victims into paying demands given the increased likelihood the stolen data will be published.
In response, healthcare provider organizations should review Microsoft insights around human-operated ransomware campaigns, such as double extortion events like these.
The joint federal alert regarding the ransomware wave on healthcare stressed that providers must evaluate business continuity plans and the capability of identifying continuity gaps, which can help establish a viable security program and ensure the site can maintain functions in the event of a cyberattack or another emergency.
Lastly, as repeatedly warned by the FBI and a host of security leaders, paying the ransom should be avoided whenever possible as there’s no guarantee the hackers will actually return or destroy the data. Coveware’s report actually revealed that threat actors will frequently sell access to the exposed port, provide the victim with false evidence when providing “proof” the data was destroyed, and a long list of other activities.
This story has been updated with statements from Luxottica, as well as to clarify that the web-based scheduling application hack did not involve ransomware.
