Crossing the Line: Meta's $1.3 Billion GDPR Penalty Amidst International Data Disputes

Welcome to LEVEL7’s issue of CYBER2GO - A Weekly Recap, in which we will analyse a few of last week’s Cybersecurity topics, reported by?CYBER2GO, and share our perspectives, tools and strategies in English.?

Follow our LinkedIn page, and subscribe to this newsletter, to not miss out!?

Week 21?

Behind the Lens: Unmasking Luxottica's Massive Data Breach and the Importance of Supply Chain Security?

Luxottica. The name of one of the biggest, if not the biggest eyewear company in the world. But, funnily enough, you may not have heard of them.?

They own Ray-Ban, Chanel, Prada, Versace, Giorgio Armany, Burberry, D&G... the list goes on.?

So, what happened? Why are they in the news???

Unfortunately, it’s not because of launching a new line of eyewear, or new prescription frames.?

Instead, they’ve confirmed a data breach all the way back from 2021. The breach affected over 70 million customers (about twice the population of California).?

Over 70 million.?

A user back on the now closed BreachedForums had, back in November 2022, put up a post including data allegedly stolen from Luxottica.??

“This data wasn’t hacked nor breached, this was acquired legally. No blame on buyers, me nor the company who was holding this data. All blame falls on Luxottica, they agreed to the terms,” user sin said on BreachedForums.?

“Also, I’ll let Luxottica come out with how this [the data] was found, it’s pretty laughable. This was also found very very recently, but data is from 2021,” they continued.?

The user made the post on November 7, 2022.?

Moreover, the data wasn’t just a small amount. Altogether, the data had 306,090,199 records, including 14,113,577 from Canada. The data put up on BreachedForums was ‘customer info of Luxottica’s American and Canadian companies/retail stores’.??

Since the post on Breached, which was a pay-per-view arrangement, the data has since been leaked for free, in its entirety, on both April 30 and May 12, 2023 – on different forums.?

D3Lab’s Andrea Draghetti was part of the team that analyzed the breach for Luxottica, and determined the exfiltration date to be March 16, 2021.?

Draghetti further speculated on whether the data shared in this data leak was reshared data from a ransomware attack, Luxottica suffered from a year earlier.?

Luxottica decided it was time to break the silence, having now seen the data distributed on multiple forums (again).?

“We discovered through our proactive monitoring procedures that certain retail customer data, allegedly obtained through a third-party related to Luxottica retail customers, was published in an online post. We immediately reported the incident to the FBI and the Italian Police. The owner [Pompompurin] of the website where the data was posted [BreachForums] has been arrested by the FBI. The website was shut down and the investigation is ongoing,” Luxottica told BleepingComputer.??

They say they first learned of the incident ‘from a third-party post on the dark web in November 2022’. They also confirmed that the exposed data indeed does contain full customer names, emails, phone numbers, addresses and dates of birth - which is exactly what sin said on BreachForums.??

So, the post was true.?

The attack took place through one of Luxottica’s partners, and that’s why it’s so important to always ensure your supply chain is secure. Set requirements for your partners, and ensure they live up to them. Because in cases, such as this one, you really have a lot to lose.??

For Luxottica, they remain in a good position, because it’s difficult for people to boycot, say, 10 brands, because they all belong to Luxottica. This, especially considering the brands they are – those brands are the very definition of luxury.?

So, Luxottica remains guarded by the reputation of its children. And that’s a good thing for the company. But that doesn’t mean you can just rest easy because you feel untouchable. Knowing your supply chain and securing your customers’ data should always be the number one priority.?

Because without them, your business wouldn’t have anything to stand on.?

?

Crossing the Line: Meta's $1.3 Billion GDPR Penalty Amidst International Data Disputes?

Meta's Data Misstep: A $1.3 Billion GDPR Violation and the Tug-of-War Between EU and US Data Laws"?

In a remarkable blow to Facebook's parent company, Meta Ireland, the Irish Data Protection Commission (DPC) has decreed a $1.3 billion fine. The offence? Breaching Article 46(1) of the GDPR (General Data Protection Regulation). Meta Ireland stands accused of transmitting data of EU-based users to the US, a region whose data protection laws are deemed deficient.?

Along with the billion-dollar fine, the DPC has handed Meta a five-month ultimatum to halt all such data transfers. Meta is also tasked with putting an end to processing or holding any data unlawfully transferred within a six-month period.?

This egregious violation came to light in the wake of alterations in international data transfer laws under GDPR, heralded by the landmark "Schrems II" case in 2020. Fast forward to April 2023, the European Data Protection Board (EDPB) set a binding decision in motion, directing the DPC to slap the fine on Meta and ensure its adherence to GDPR.?

In the aftermath of this verdict, Meta expressed its dissent in a blog post, critiquing the fine as disproportionate and unjust. They argued their use of Standard Contractual Clauses (SCCs) for every transatlantic data transfer, asserting their belief that this practice complied with GDPR. Furthermore, they underscored a perceived discord between the data access regulations of the US and EU.?

Undeterred, Meta announced their intention to challenge the ruling, contesting the magnitude of the fine. Their planned appeal adds another chapter to the ongoing saga of data protection controversies.?

?

GitLab's Swift Response to Critical Security Flaw: An Emergency Update and the Continuous Battle for Software Security?

In a pivotal response to a critical security issue, GitLab, the web-based Git repository, has promptly rolled out an emergency update, version 16.0.1. The culprit? A maximum severity path traversal vulnerability, tracked as CVE-2023-2825, in GitLab's Community Edition and Enterprise Edition version 16.0.0.?

The glaring flaw, reported by a diligent security researcher, could potentially allow an unauthenticated intruder to access sensitive server files under specific circumstances. The risk? Exposure of proprietary code, user credentials, tokens, and other private data to malicious actors.?

This security breach was identified and reported by a researcher named 'pwnie' through GitLab's HackOne bug bounty program. This finding was especially alarming due to its maximum CVSS v3.1 score of 10.0, signifying its critical nature.?

In the wake of this discovery, GitLab was swift in addressing the problem. The company released a security bulletin that strongly recommended immediate application of the latest security update. The importance of this update was emphasized due to the absence of any workarounds for the vulnerability.?

In response to this vulnerability, GitLab announced their commitment to continuously working towards enhancing their security systems, understanding the potential risk posed by such vulnerabilities. They also acknowledged the importance of such bug bounty programs and the role they play in enhancing the security infrastructure.?

This incident puts a spotlight on the constant vigilance required in managing software vulnerabilities, particularly for platforms managing sensitive data. It adds another layer to the ongoing narrative around software security and the urgent need for immediate action in the face of potential threats.?