One retailer mistake puts several million Europeans at risk


Over 3.5 million people have been affected across Europe after German eyewear company Brillen spilled order details and customer data to anyone on the internet.

On August 8th, the Cybernews research team discovered a leak that affected German eyewear retailer Brillen. The company provides a wide selection of glasses and contact lenses both online and in its physical stores in Germany and other European countries.

The massive data leak affected over 3.5 million customers in Germany and the company’s affiliate sites in Spain and Austria.

ADVERTISEMENT

What data was exposed?

  • Full names
  • Addresses
  • Emails
  • Mobile phone numbers
  • Gender
  • Dates of birth
  • Detailed order information – payment amounts, invoice numbers, and dates
brillen data leak
Number of affected customers across Europe

The leak was caused by absence of authentication on the Elasticsearch cluster. Elasticsearch is a search engine that allows users to store, search, and analyze large amounts of data. When used in a group of connected servers, it’s called a cluster, which can assist in processing large datasets.

Previous Cybernews research reveals that this is a common cybersecurity mishap. Failing to configure proper authentication exposes stored data to internet users and, inevitably, to threat actors who are constantly scanning the internet for publicly accessible databases.

Data leak sample
Sample of leaked data

In the case of Brillen, the cluster stored customers' personal data and order details. Our researchers contacted the company instantly after discovering the leak, and it reacted by closing the access to the data. However, Cybernews has received no further response from Brillen.

While the cluster has been taken down, the length of time it was exposed remains unclear, as does the extent to which public search engines have indexed the data. Once indexed, the data becomes accessible to anyone, creating a goldmine for threat actors.

ADVERTISEMENT

“Due to the number of affected clients, this leak would be lucrative to cybercriminals, as they would be able to launch large, semi-targeted phishing campaigns against a large number of potential victims,” warn Cybernews researchers.

Brillen data leak statistics
The scope of data leak

The exposed data puts customers at heightened risk of identity theft and fraud. The order details, combined with personal information, can enable threat actors to craft highly customized phishing campaigns.

Apart from causing the company reputational damage, not securing customers' data violates data protection laws, such as GDPR, which may result in fines of up to 4% of annual turnover, or €20 million, whichever is higher.