For consumer goods companies, data privacy is of utmost importance as shoppers now have the technology readily available to realize what these organizations are doing with their personal information. It enables them to create a more custom experience that drives stronger brand loyalty through trust – much like in a long-term relationship. However, with great power comes great responsibility, and according to Editor for Cyber Security Hub Jeff Orr, “Even the best security teams can have glaring security vulnerabilities.”
While Orr comments that “it is unfortunate that Estee Lauder had this publicly exposed middleware database,” with over 70 years of being a household beauty products company, the implications for the amount of data to potentially become exposed is massive. In this case, 440,336,852 individual data pieces were exposed, according to researcher Jeremiah Fowler at Security Discovery.
To be more exact, a non-password protected cloud database containing hundreds of millions of customer records and internal logs for the cosmetic giant has been found exposed online, which can create a secondary path for malware through which applications and data can be compromised.
"The database appeared to be a content management system that contained everything from how the network is working to references to internal documents, sales matrix data, and more.," Fowler says, "as soon as I saw email addresses, I was able to validate these were real people and immediately contacted Estee Lauder."
However, he also notes that he can only speculate or assume that the email addresses were from digital commerce or online sales. As for the other data, most of it could be used as reconnaissance for a larger network attack, Fowler adds:
The logs for instance contained IP addresses, ports, pathways and storage information that could be used to map out the company’s internal LAN or WAN; and, middleware used by the company to connect different data-generating software packages was also detailed.
Middleware typically handles tasks like providing a consistent front-end for data management across different internal systems; application services; messaging; authentication; and API management.
The company issued the following statement:
“On 30 January, 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estee Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties.”