For consumer goods companies, data privacy is of utmost importance as shoppers now have the technology readily available to realize what these organizations are doing with their personal information. It enables them to create a more custom experience that drives stronger brand loyalty through trust – much like in a long-term relationship. However, with great power comes great responsibility, and according to Editor for Cyber Security Hub Jeff Orr, “Even the best security teams can have glaring security vulnerabilities.”
While Orr comments that “it is unfortunate that Estee Lauder had this publicly exposed middleware database,” with over 70 years of being a household beauty products company, the implications for the amount of data to potentially become exposed is massive. In this case, 440,336,852 individual data pieces were exposed, according to researcher Jeremiah Fowler at Security Discovery.
To be more exact, a non-password protected cloud database containing hundreds of millions of customer records and internal logs for the cosmetic giant has been found exposed online, which can create a secondary path for malware through which applications and data can be compromised.
"The database appeared to be a content management system that contained everything from how the network is working to references to internal documents, sales matrix data, and more.," Fowler says, "as soon as I saw email addresses, I was able to validate these were real people and immediately contacted Estee Lauder."
However, he also notes that he can only speculate or assume that the email addresses were from digital commerce or online sales. As for the other data, most of it could be used as reconnaissance for a larger network attack, Fowler adds:
The logs for instance contained IP addresses, ports, pathways and storage information that could be used to map out the company’s internal LAN or WAN; and, middleware used by the company to connect different data-generating software packages was also detailed.
Middleware typically handles tasks like providing a consistent front-end for data management across different internal systems; application services; messaging; authentication; and API management.
The company issued the following statement:
“On 30 January, 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estee Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties.”
“Our research surveys with enterprise security leaders have found that the larger enterprise organizations do not necessarily have larger security budgets,” says Orr.
He advises that CPG brands and the supply chain need to look holistically at their security posture – everything from retail distribution to e-commerce and operations to third-party relationships – and annual compliance checklists will not be sufficient. “Continuous and on-going assessments of threats and vulnerabilities are the only path forward. And this doesn’t have to be done alone.”
“Security leaders need to participate in the broader security community. There’s an outdated belief that competitors don’t talk to each other. That’s not the case in cyber security. Every business faces the same threats and the same risks. This active gathering of threat intelligence and observing the experiences of others (and how they respond to an attack) is what sets the average security leader apart from the successful one,” says Orr.