440M records exposed online by cosmetics maker Estée Lauder
Some 440 million records in a database belonging to cosmetics maker Estée Lauder Companies Inc. have been found unsecured and exposed online, potentially putting customers at risk.
The database was discovered by security researcher Jeremiah Fowler from Security Discovery Jan. 30 and publicized today. It involved 440,336,852 individual pieces of data, including plaintext email addresses, some sent from internal email addresses. It also included references to reports and internal documents as well as IP addresses, ports, pathways and storage information.
In addition, the database included information relating to Estée Lauder’s internal systems and content management system. The data is believed to have its origin in middleware being used by the company.
Fowler reached out to Estée Lauder to advise its of the data breach and the company acted promptly to take the data offline.
In a statement, Estée Lauder confirmed the data exposure, saying that the database contained “a limited number of non-consumer email addresses from an education platform.” It also claimed it contained no consumer data and it had found no evidence of unauthorized use.
How long the data was accessible online is unknown. Given the depth of the data exposed, the company’s claims that it contained no customer data are not reassuring. There is also a serious concern that the data, as it related to internal systems, could have been used as a secondary path for malware through which further data could be compromised.
“With the data stolen, customers are the primary targets for cybercriminals, who will use their information to take over accounts the victims have with other online companies,” Robert Capps, vice president of market innovation for security firm NuData Security, a Mastercard company, told SiliconANGLE. He added that there’s also a risk of impersonation by bad actors who could create new accounts with the victim’s information or open up new credit lines.
“For organizations with an online presence, more technologies are needed to verify legitimate customers from imposters,” Capps said. “New technologies like behavioral analytics and passive biometrics are being leveraged to protect businesses and their customers from account takeover by recognizing customers’ online behavior instead of basing a decision on a password, SIN or another credential. Hackers are not able to mimic inherent user behavior online, making stolen credentials valueless.”
Francis Gaffney, director of threat intelligence at cloud email management firm Mimecast Services Ltd., noted that the exposure might have violated the European Union’s General Data Protection Regulation.
“GDPR is not just something else an organization needs to comply with, but rather benefit from the behaviors GDPR is designed to encourage,” Gaffney said. “GDPR isn’t a burden if businesses view it through the lens of their customers, partners or employees. If someone trusts you with their data, you owe it to them to protect it, to know exactly where that data is stored, and who can access that data.”
Photo: Gaosoruela/Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU