EyeBuyDirect suffered a security breach and customer data, including credit cards, were stolen. Roy Hessel, who is the CEO and founder of EyeBuyDirect, sent a letter to the office of the Attorney General (Joseph Foster) of New Hampshire which is dated on October 13th, 2015. You can read the entire letter and document here.
From the attached letter that was sent to affected customers EyeBuyDirect says the website breach occurred between February 9th, 2015 – May 30th, 2015. The hackers used a Russian IP address and they claim they disabled the hackers access once they figured out the EyeBuyDirect website had been breached and customer data had been comprised.
EyeBuyDirect, or perhaps their parent company Essilor, hired a cybersecurity forensics investigation team. These cybersecurity forensics teams typically research security breaches after the fact and write a report on what happened and how the baddies got unauthorized access to websites or networks. That report was given to EyeBuyDirect on September 22nd, 2015. From this security report the company has implemented new security measures and protocols to prevent future hacking. Of course I do not know what these new measures are or what additional security steps the glasses company is taking.
It is not clear how many EyeBuyDirect customers data was exposed from this hacking incident. In the letter to the Jospeh Foster, Attorney General of New Hampshire, it says that a forensics report concluded that 22 people in New Hampshire had been confirmed to have personal data stolen from the September report. That is a fairly small number but I noticed that the same letter was posted on the Vermont Attorney General’s security and data privacy page. You can see that here. We do at least know that in addition to credit card numbers and CVV codes being stolen, names, addresses, phone numbers, and email addresses were also taken.
I’m sure a lot of people that are customers of EyeBuyDirect are wondering the same thing, “How do I know if my information was part of this hacking incident?” If your personal data was stolen from EyeBuyDirect’s website you likely were already informed by the company. It doesn’t hurt to ask the company if you are concerned though and if you live in the United States I’d recommend going to check your state’s Attorney General’s data and security privacy page and searching to see if a bulletin regarding EyeBuyDirect was posted tehre.
If you are a customer that was affected by EyeBuyDirect website being hacked they are offering 12 months of AllClear ID which protects people’s identity with special monitoring technology… supposedly. (In my experience these identity protection companies do not do much.) The 12 month period started when a customer received a notice of the security breach and they are able to use the AllClear ID protection to help with financial loses, credit repair, and identity repair.
These are all the details of the EyeBuyDirect hacking that I have been able to find. If you are a customer and know of anything else regarding this website breach, I’d appreciate if you shared with a comment below. Typically companies are required to inform the public of security breaches but do not provide information regarding the breach or how they are stepping up security. They consider that sensitive and secret information.
So far I am not aware of any other online glasses retailers that has suffered a security breach like EyeBuyDirect but you never know. There are new cybersecurity threats that pop-up everyday.