April Showers Bring May Data Leaks

June 8, 2023

You know what they say – April showers bring May Data Leaks. They do say that, right? Regardless, there was a flood of data leaks in May of this year. The last 3 years have seen a trend of data leakage incidents rising rapidly. The broad consensus is that this can be attributed to the trend of ‘digital transformation’, where companies move an increasing amount of previously on-prem things like application and database servers to cloud hosted instances or microservices. In many cases, this transition has been hasty, and secure configuration of cloud resources has suffered the most. The evidence for that assertion in particular is overwhelming, as so many data leaks come from misconfigured cloud resources, like open s3 buckets.

 

In the last 30 days alone, there have been 5 major data leaks that illustrate this issue well. In this blog post, we will review the leaks, what data was leaked, and what caused the leak:

Luxottica

What happened:

Luxottica, the world’s largest eyewear company (owner of Ray-Ban, Oakley, and many other major brands) just last week disclosed it was impacted by a breach of a ‘third party’ involved in their retail business. The stolen database contained 70 million customer records and was posted on a variety of cybercrime forums by a user under the name of ‘sin’ for sale from April 30th to May 12th of this year, and was eventually just given away for free in its entirety.

 

The leak contained 77 million customer records, and customer contact details like names, addresses, phone numbers, emails, and dates of birth. While it doesn’t contain things like financial information, social security numbers, or passwords – this combination of information is still considered PII. The author of this post claims to have obtained this data legally via some sort of exposure, but didn’t detail exactly what the exposure was. The seller invited Luxoticca to share the details, inferring it would be embarrassing for them.

LuxotticaS