One retailer’s error endangers millions of Europeans

Tools

Published:

Written by: Staff Editor
spot_img

Massive Data Leak at German Eyewear Company Brillen Exposes Over 3.5 Million Customers in Europe

Over 3.5 million people have been affected across Europe after German eyewear company Brillen spilled order details and customer data to anyone on the internet.

On August 8th, the Cybernews research team discovered a leak that affected German eyewear retailer Brillen. The company provides a wide selection of glasses and contact lenses both online and in its physical stores in Germany and other European countries.

The massive data leak affected over 3.5 million customers in Germany and the company’s affiliate sites in Spain and Austria.

What data was exposed?

– Full names
– Addresses
– Emails
– Mobile phone numbers
– Gender
– Dates of birth
– Detailed order information – payment amounts, invoice numbers, and dates

The leak was caused by the absence of authentication on the Elasticsearch cluster. Elasticsearch is a search engine that allows users to store, search, and analyze large amounts of data. When used in a group of connected servers, it’s called a cluster, which can assist in processing large datasets.

Previous Cybernews research reveals that this is a common cybersecurity mishap. Failing to configure proper authentication exposes stored data to internet users and, inevitably, to threat actors who are constantly scanning the internet for publicly accessible databases.

In the case of Brillen, the cluster stored customers’ personal data and order details. Our researchers contacted the company instantly after discovering the leak, and it reacted by closing the access to the data. However, Cybernews has received no further response from Brillen.

While the cluster has been taken down, the length of time it was exposed remains unclear, as does the extent to which public search engines have indexed the data. Once indexed, the data becomes accessible to anyone, creating a goldmine for threat actors.

The exposed data puts customers at heightened risk of identity theft and fraud. The order details, combined with personal information, can enable threat actors to craft highly customized phishing campaigns.

Apart from causing the company reputational damage, not securing customers’ data violates data protection laws, such as GDPR, which may result in fines of up to 4% of annual turnover, or €20 million, whichever is higher.

spot_img

Related articles

Recent articles

Victoria’s Secret Faces Outage After Cybersecurity Breach

Global
Victoria’s Secret Faces Disruption Amid Cybersecurity Incident Victoria’s Secret, a leading name in lingerie and fashion, is currently navigating significant disruptions following a cybersecurity incident...
Read more

FortiGuard Uncovers Ongoing Cyberattack Threatening Middle Eastern Infrastructure

Knowledge Hub
Unmasking the Threat: A Focus on Lumma Stealer and Cybersecurity Resilience Understanding the Malware Landscape In an increasingly interconnected world, the prevalence of cyber threats continues...
Read more

Over 93 Billion Stolen User Cookies Leaked on the Dark Web

Dark Watch
Uncovering the Scope of a Massive Cybercrime Operation In a shocking revelation, security researchers have exposed a large-scale cybercrime operation involving...
Read more

DragonForce Leverages SimpleHelp Vulnerabilities to Launch Ransomware on Customer Devices

Global
The Rise of DragonForce Ransomware: Inside a Managed Service Provider Breach Overview of the Attack Recently, cybersecurity experts detailed a significant breach involving DragonForce, a notorious...
Read more
Sign up to the Newsletter and never miss out on the latest news!
Join the Cyber Warriors community and get Insider Tips & Tricks to defend your digital assets.

© Cyberwarriorsmiddleeast.com