Massive Data Leak at German Eyewear Company Brillen Exposes Over 3.5 Million Customers in Europe
Over 3.5 million people have been affected across Europe after German eyewear company Brillen spilled order details and customer data to anyone on the internet.
On August 8th, the Cybernews research team discovered a leak that affected German eyewear retailer Brillen. The company provides a wide selection of glasses and contact lenses both online and in its physical stores in Germany and other European countries.
The massive data leak affected over 3.5 million customers in Germany and the company’s affiliate sites in Spain and Austria.
What data was exposed?
– Full names
– Addresses
– Emails
– Mobile phone numbers
– Gender
– Dates of birth
– Detailed order information – payment amounts, invoice numbers, and dates
The leak was caused by the absence of authentication on the Elasticsearch cluster. Elasticsearch is a search engine that allows users to store, search, and analyze large amounts of data. When used in a group of connected servers, it’s called a cluster, which can assist in processing large datasets.
Previous Cybernews research reveals that this is a common cybersecurity mishap. Failing to configure proper authentication exposes stored data to internet users and, inevitably, to threat actors who are constantly scanning the internet for publicly accessible databases.
In the case of Brillen, the cluster stored customers’ personal data and order details. Our researchers contacted the company instantly after discovering the leak, and it reacted by closing the access to the data. However, Cybernews has received no further response from Brillen.
While the cluster has been taken down, the length of time it was exposed remains unclear, as does the extent to which public search engines have indexed the data. Once indexed, the data becomes accessible to anyone, creating a goldmine for threat actors.
The exposed data puts customers at heightened risk of identity theft and fraud. The order details, combined with personal information, can enable threat actors to craft highly customized phishing campaigns.
Apart from causing the company reputational damage, not securing customers’ data violates data protection laws, such as GDPR, which may result in fines of up to 4% of annual turnover, or €20 million, whichever is higher.