A Jan. 30 data breach linked to cosmetics giant Estée Lauder exposed more than 440 million records, but none apparently contained customers’ payment information or privileged information about employees.
“To the best of my knowledge, the database did not contain payment data or sensitive employee information based on what I personally saw,” said a blog post from Jeremiah Fowler of SecurityDiscovery.com, who discovered the breach.
Reporting on the breach, Forbes published this statement from Estée Lauder:
“On Jan. 30 we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estee Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties.”
It took Fowler some time and effort to effectively communicate the breach to Estée Lauder.
“I immediately sent a responsible disclosure notice Estée Lauder alerting them to the exposure,” he wrote. “As in most large companies when reporting a data exposure, it is usually extremely difficult to get through the firewall of gatekeepers, but several hours later and multiple emails the data was still exposed. After calling every phone number I could find I was able to reach someone by phone who then promised to pass on the information. The company acted fast and professionally and restricted public access to the database on the same day as my notification.”
Fowler’s list of what he discovered before reaching out to Estée Lauder included:
- 440,336,852 logs and records that should not have been publicly exposed online.
- “User” emails in plain text (including internal email addresses from the @estee.com domain)
- Production, audit, error, CMS, and middleware logs were exposed.
- References to reports and other internal documents.
- IP addresses, ports, pathways, and storage info that cyber criminals could exploit to access deeper into the network.
Estée Lauder’s digital pressroom makes no mention of the data breach, nor is it referenced on the beauty brand’s social media.
Other recently revealed data breaches include one that exposed credit card information, including CVV codes, belonging to ecommerce customers of Hanna Andersson, the Portland, OR-based children’s clothing brand with Swedish roots. It was hacked in a magecart attack last fall that only came to light when affected customers were notified in a letter on Jan. 15.