As users, it is common to think that information security incidents only affect technology companies. This is a wrong concept, as data security incidents are constantly reported across all kinds of companies. This is precisely what just happened at cosmetics company Estée Lauder, which suffered a data breach that exposed nearly 440 million records.
The incident came due to an unprotected
database, says Jeremiah Fowler, researcher in charge of the finding. This
exposed database contains unencrypted email address records of customers and
employees, marketing reports, internal documents, as well as information about
IP addresses and data storage paths. Fowler added that he notified the area
responsible for information security at Estée Lauder, which immediately disabled
access to the database.
Shortly after receiving the report, Estée
Lauder confirmed the incident, mentioning that the database exposed a limited
number of email addresses (non-customer members) registered on an online
platform. The cosmetic company’s information security team also claimed that no
improper access to the database has been recorded so far.
However, the problems have not been completed
for the company, as it still needs to conduct an investigation to determine
that no threat actors had access to the compromised information. In addition,
the release has raised more questions for customers, as data breaches can
sometimes be exploited as an access point to a company’s internal networks,
compromising greater internal and customer details.
“Incidents like this expose users to various malicious activities. Hackers could send phishing emails, make purchases on other sites with their payment card data, and even perform phishing attacks,” says Robert Capps, information security specialist.
As the company’s investigation is ongoing, the
International Institute of Cyber Security (IICS) points out that the incident
could be investigated under the European Union General
Data Protection Regulation (GDPR), as EU citizens’ data was exposed. It
should be remembered that fines for non-compliance with this law reach up to 4%
of the company’s annual profits, so the incident could have disastrous
financial consequences for the New York-based firm.