Ray-Ban owner Luxottica confirms ransomware attack, work disrupted

09/22 update is added below. This post was originally published on September, 21st, 2020.

Italy-based eyewear and eyecare giant Luxottica has reportedly suffered a cyberattack that has led to the shutdown of operations in Italy and China.

Luxottica is the world's largest eyewear company that employs over 80,000 people and generated 9.4 billion in revenue for 2019.

The company portfolio of eyeglasses brands contains well-known brands, including Ray-Ban, Oakley, Oliver Peoples, Ferrari, Michael Kors, Bulgari, Armani, Prada, Chanel, and Coach.

Luxottica also operates retail outlets such as Sunglass Hut and eyecare providers Pearle Vision, LensCrafters, and Eye Med.

Possible cyberattack impacts operations

On Friday evening, people began to report that the web sites for Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision were not working, and wondered if they were breached.

In addition, Luxottica portals one.luxotrica.com and university.luxottica.com are currently showing maintenance messages stating the sites are under maintenance.

"OneLuxottica is temporarily unavailable. We are working to bring it live as soon as possible."

Today, Italian media reports that the IT systems for Luxottica offices in Agordo and Sedico, Italy, were suffering "computer system failure." As employees could not work, they were told to go home via an SMS text.

Union sources later confirmed to Italian media Ansa that the employees were sent home due to "serious IT problems."

If you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.

Update 09/22/20: A Luxottica employee contacted BleepingComputer today and told us that the ransomware attack occurred on Sunday evening, affected the company worldwide, and that even today, offices were still not fully operational.

In a post to LinkedIn, security professional Nicola Vanin claims that no data was stolen as part of this attack.

"a) There is currently no access or theft of information from users and consumers.
b) Once the event was analyzed, the clues were collected in less than 24 hours and the procedure for cleaning up the affected servers began. Work activities are gradually returning to normal in the #Milano plants and headquarters."

BleepingComputer was unable to independently verify if Vanin's information is accurate.

As for whether data was stolen, only time will tell, as ransomware operators will publish any stolen data on a data leak site if a ransom is not paid.

Attackers possibly gained access using a vulnerability

Furthermore, cybersecurity intelligence firm Bad Packets has told BleepingComputer that Luxottica had a Citrix ADX controller device vulnerable to the critical CVE-2019-19781 flaw in Citrix devices.

This vulnerability is popular among ransomware threat actors. When exploited, the vulnerability provides access to a network and credentials that can be used to spread further through the network.

A recent ransomware attack on a German hospital that led to a patient's death was caused by the attackers exploiting this same vulnerability to gain access to the network.

9/22/20: Updated with information shared by an employee and a statement posted by Luxottica
9/23/20: Updated to clarify that Vanin is not an employee of Luxottica.