In December 2018, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) had started an investigation after the eyewear company Warby Parker reported “unusual, attempted log-in activity” on its website. Their investigation led to the fact that Warby Parker had suffered a major credential stuffing cyber-attack in which threat actors accessed a trove of sensitive information of almost 200,000 customers. The stolen information included customer names, addresses, payment details, and eyewear prescription data. Subsequently, two smaller additional breaches in April 2020 and June 2022 reinforced Warby Parker’s pattern of recurring cyber vulnerabilities.

Now the HHS has punished Warby Parker with a $1.5 million fine for failing to fortify its defenses and protecting its customers’ data. Read more about this story on our LinkedIn page